Its Day 94 of my 100 Days of Cloud journey and in todays post we’ll take a quick look at Azure VMware Solution.
For decades, VMware has dominated the Hypervisor market in the face of competition from vendors such as Microsoft, Citrix, Oracle and Red Hat. They’ve provided innovation with the launch of ESXi and vCenter, and continued that by branching out into products such as Horizon, vRealize, Cloud Foundation and NSX to name but a few.
You can now provision VMware private clouds in Azure using Azure VMware Solution. A deployment contains VMware vSphere clusters built from dedicated bare-metal Azure infrastructure.
The minimum initial deployment is three hosts, but additional hosts can be added one at a time, up to a maximum of 16 hosts per cluster. All provisioned private clouds have:
VMware vCenter Server
VMware NSX-T Data Center
As a result, you can migrate workloads from your on-premises environments, deploy new virtual machines (VMs), and consume Azure services from your private clouds.
Each host contains:
Dual Intel 18 core, 2.3-GHz processors
Two vSAN disk groups with 15.36 TB (SSD) of raw vSAN capacity tier and a 3.2 TB (NVMe) vSAN cache tier.
Shared Responsibility Model
Like all services deployed in Azure, there is a Shared Responsibility model in place for what Microsoft manages versus what the Customer manages. The beauty of Azure VMware Solution is that the majority of the underlying VMware Components are managed by Microsoft. We can see from the diagram below where the responsibilities lie for each of the components:
When you think of the amount of time that is spent with on-premises deployments managing Physical Infrastructure, Networking, Identity and Security, you can see the benefits of hosting your VMware in Azure VMware Solution.
Interconnectivity to your On-Premises environments
You can connect your AVS and On-Premises deployments by using Express Route Connections and Express Route Global Reach to interconnect the environments.
Once the connection is in place, you can use VMware HCX to migrate your on-premises workloads into Azure VMware Solution.
Scenarios for Azure VMware Solution
Like all discussions around moving to Azure or any other Public Cloud provider from an on-premises environment, the scenario needs to be one best suitd to your business needs. Some examples are:
Migrate existing assets “as is” – Take the fast path to the cloud. Replicate existing IT systems, apps, and workloads natively in Azure (also known as a “lift and shift” migration) without needing to change them beforehand.
Reduce your datacenter footprint – If your enterprise wants to leave the datacenter business, you can use Azure as a way to enable decommissioning legacy infrastructure, after you’ve brought resources into the cloud.
Prepare for disaster recovery and business continuity – Move your apps to the cloud without disruption to your business. You can also deploy VMware resources on Azure for a primary or secondary on-demand recovery site to provide business continuity for your existing on-premises datacenter resources.
Modernize your workloads Provide a future path to innovate and expand on the value of cloud investments. At your speed and pace, take advantage of Azure tools and services to modernize your datacenter and applications.
So thats a quick intro to Azure VMware Solution. There are lots of great resources, such as the Microsoft Learn modules, the official Microsoft and VMware Documentation, and this great episode of Azure Friday where Shannon Kuehn gave Scott Hanselman a demo of Azure VMware Solution.
Its Day 93 of my 100 Days of Cloud journey and in todays post we’ll take a quick look at both FSLogix and creating your own Custom Images for your Azure Virtual Desktop environment!
So after yesterdays disappointing end to the demo build of the AVD environment, I’ve decided to tear down the entire environment and start again from scratch in the hope of finding either the solution or where I went wrong in the process.
I’ll update the Day 92 post and update my social channels once that happens, but for now lets move on to look at 2 of the more interesting concepts of Azure Virtual Desktop, and we’ll kick off with FSLogix.
In its simplest form, FSLogix is designed to abstract the user profile from the underying operating system and provide roaming profiles in Azure Virtual Desktop and other remote computing environments. Its stores the complete user profile in a single container that is dynamically attached to the Session Host at user sign-in.
A remote or roaming user profile provides an abstraction between user data and the operating system, and allows the operating system to be replaced or changed without affecting the user data. This may happen for the following reasons:
An upgrade of the operating system
A replacement of an existing Session Host
A user being part of a pooled (non-persistent) AVD environment
So what is FSLogix – effectively its software that is installed on the Session Host to allow the profile data to be abstracted off to a file share that is hosted on an Azure Storage Account.
The steps involved in getting this set up are:
Create Storage Account with Private Endpoint
Create a File Share
Enable Active Directory authentication on the Storage account
Configure Storage account Access control (IAM)
Configure NTFS rights on the Azure File Share
Install FSLogix Profile Container in your WVD Host pool
Configure FSLogix Profile Container via GPO
Robin Hobo has written an excellent blog post on the process for implementing FSLogix and you can find that here.
There are a few best practises that are recommended to follow when implementing Azure Storage Accounts and Azure Files for FSLogix Containers:
Azure Files storage account must be in the same region as the session host VMs.
For optimal performance, the storage solution and the FSLogix profile container should be in the same data center location.
You can find full detail in the official FSLogix Documentation here.
For anyone who deploys images either on VDI or via SCCM or WSUS to Desktop/Laptop devices, a custom image is something that the majority of us have built on one platform or another over time.
The process is the same as its always been:
Create a base image using a VM.
Install all OS updates and require software.
Sysprep the image to generalize it for multi-deployment use.
Capture the image to your deployment software.
Creating a Custom Image for Azure Virtual Desktop is no different to the above, except for a few additional steps using a really cool script available on GitHub.
So the steps are as follows:
Create your VM in the Azure Portal – make sure the OS is Windows 10/11 Enterprise multi-session.
RDP to the VM and run all of your Windows Updates.
Now this is where things get interesting and cool! Shawn Meyer has created a customization script with a UI that allows you to quickly install the required applications, along with necessary policies and settings for and optimized user experience. The script and supporting folders can be downloaded via this link.
Once this is downloaded, extract the Customizations.Zip file, and then run .\Prepare-WVDImage.ps1 -DisplayForm which will display this:
As we can see, this contains all that we need to prepare our image. When you select your desired options and click “Execute”, this will run a PowerShell script.
Once the script completes, you can now run Sysprep to generalize the image. The command to run is sysprep.exe /oobe /generalize /shutdown.
Once the sysprep is complete, go back to the VM in the Portal, ensure it is stopped, and then click “Capture”
Ensure that the option “No, capture only a managed image” is selected, and this will create the image.
Now, when you go to create the Session Hosts in your Host Pool, you will have the option to select your image from the Gallery and browse to select the Custom Image you have just created.
So thats a brief rundown of how FSLogix works and also how you can create your own Custom Images for your Azure Virtual Desktop Session Hosts.
Created our Log Analytics Workspace for logging our monitoring data
Created our Test Users in Azure AD
Created the Host Pool
Created the Assignments to allow users to access the desktops
Created the Service Hosts
Verified that Diagnostic Settings are working
Added our Session Hosts into Monitoring
Lets dive back in where we left off and configure our Application Groups.
An Application Group is a logical grouping of applications installed on session hosts in the host pool. They are of two types:
An application group of type ‘Desktop’ was created automatically while creating the Session Hosts.
Lets check to ensure our users are assigned to the Desktop application group. To do this, we click into the Desktop Group, choose the “Assignments” option under “Manage”.
We can see that the users are assigned, but do not have an “Assigned VM”. This is because for Personal Host Pools the users will be automatically assigned a VM when they try to launch the desktop, and their user session will be load-balanced to an available session host if they haven’t already connected to the host pool. There is an option to configure direct assignment – you can find more details and commands on how to do this in the article here.
Because we are using a Personal Host Pool and alreay have a Desktop pool assigned, it means we cannot add an RemoteApp Application Group to the same host pool – if we wanted to do that we would need to either use a Pooled Host Pool or else create a new Host Pool.
We can see if we try to create a new Application Group in the same Host Pool, we get an error when we select the existing Host Pool:
The official line in the Microsoft Docs article here states:
We don’t support assigning both the RemoteApp and desktop app groups in a single host pool to the same user. Doing so will cause a single user to have two user sessions in a single host pool. Users aren’t supposed to have two active user sessions at the same time, as this can cause the following things to happen:
The session hosts become overloaded
Users get stuck when trying to login
Connections won’t work
The screen turns black
The application crashes
Other negative effects on end-user experience and session performance
And this makes sense – its easier to have Desktop Sessions as part of one host pool and Application Sessions as part of another.
Lets move on to looking at the different methods for connecting our users to their Desktop Sessions.
Access the Published Desktop using Browser or Remote Desktop Client
Open the following URL in a new private mode browser tab (or incognito mode) in your own workstation/laptop. This URL will lead us to the Remote Desktop Web Client.
This will launch a logon screen – we’ll use the “Bruce Wayne” account to sign on:
And once we get signed on, we can see our Session Desktop available:
We’ll launch the session and this will ask to to allow access to local reesources. Choose your preferences here and click “Allow”
This will again ask for credentials, so we enter these and click Submit:
And it fails …..
Hmmm, why is that. Time to go off into the weeds to look into this.
So a few hours later and I’m still trying to get this working. And what I’ve found out in that time is as follows:
For Azure AD-Joined VMs, in order to access the session host the desktop you are connecting from must meet one of the following conditions:
The local PC is Azure AD-joined to the same Azure AD tenant as the session host.
The local PC is hybrid Azure AD-joined to the same Azure AD tenant as the session host.
The local PC is running Windows 11 or Windows 10, version 2004 or later, and is Azure AD registered to the same Azure AD tenant as the session host.
So, this was never going to work from my local PC across the internet.
So to get around that, I spun up a new Windows 10 VM in Azure and Azure AD-joined it in the same way as my session hosts are. And tried to access my Azure Virtual Desktop pool from there…..
And it failed with the same errors……
I’ve also checked and ensured the following:
The users are assigned the Virtual Machine User Login Role for both the Host Pool and the Resource Group where the Session Host VM’s are deployed.
The users are assigned the Virtual Machine Administrator Login Role for both the Host Pool and the Resource Group where the Session Host VM’s are deployed.
The funny thing (if we can call it funny…) is that although Log Analytics is reporting errors with signins, everything looks to be set up correctly. Johan Vanneuville has already written an excellent article about this, and advised that signin errors can be fixed by enabling PKU2U authentication in the Local Security Policy on each VM:
Thats been checked, its enabled but its still not allowing logins.
So as a last resort, I added a Public IP Address to each of the Session Hosts and tried to RDP and logon directly to them using both Bruce and Clark’s Azure AD logins. And they can both logon over RDP, but not using Azure Virtual Desktop!
So this hasn’t worked unfortunately 😦 ….. Sorry!
If it had, the virtual desktop would have launched and looked similar to the screenshot below:
To close off this section, I’m sure it does work, but I’m probably going to rip up the environment and start again. However, I’ve seen other threads such as this one and this one which have both included some excellent suggestions from the community, but there has yet to be a definitive answer or fix on what the issue is and how to resolve it.
Lets close this post off by looking at Log Analytics and the data that was gathered from our Azure Virtual Desktop deployment. We’ll go to our Resource Group and click into our Log Analytics Workspace:
If we click on “Log” under the “General” menu, this gives is a splashscreen with a list of builtin queries available to run for a number of different Azure resources, and there is a full section for Azure Virtual Desktop:
If we run the “Connection Errors” query, this will paste a Kusto Query Language (KQL) query and will generate a set of results based on the query:
There are also a number of options to create alert rules based on queries or export the query results to CSV, Excel or Power BI.
So thats the end of this post, where we attempted (but ultimately failed for now) to get our Azure Virtual Desktop demo working. We did manage to capture all of the data in Log Analytics though, so maybe a bit more sifting through that will give the answer.
And here’s a chance for all you community memmbers to get involved – lets see if we can get this working! In the meantime, I’ll keep working on this and may rebuild the environment from scratch again to see if I’ve missed anything.
For those of you with any doubts, Azure Virtual Desktop does work! The Azure AD integration is a recent feature, and AVD is mostly deployed using synced AD DS identities.
Next time, I’ll give a run through of FSLogix and also how to create custom images for AVD.
Its Day 91 of my 100 Days of Cloud journey and as promised in todays post we’ll start our Demo build of an Azure Virtual Desktop environment!
In the last post, we looked at a high-level overview of the benefits and concepts of Azure Virtual Desktop, and the management responsibilities of both Microsoft and the Customer.
Lets dive straight into the Demo and set up our sample Azure Virtual Desktop environment.
We need to set up our prerequisites and in this case there are only 2 that we need. Firstly lets set up a Log Analytics workspace which we can send all of our log data to. So we log onto the Portal, click “Create a resource” and search for Log Analytics Workspace. And click Create:
We’ll select our Subscription and create a new Resource Group. We’ll also give our Workpace and name and select a region where it will be stored. Once thats done, click “Review and Create”:
As you can see, we default to a “Pay-as-you-go” pricing tier. Click “Create” to create ourLog Analytics Workspace:
Once thats created, the next thing we need is Authentication. To deploy Azure Virtual Desktop environment, we need either:
Azure Active Directory
Active Directory Domain Services
I’m going to use Azure AD for the purposes of the lab, and have created some users already. Its always great to see Bruce, Clark and Tony ready for action:
And thats the prerequisistes done – we are now ready to create the host pool.
Create Host Pool
A Host Pool is a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts when you run the Azure Virtual Desktop agent. All session host virtual machines in a host pool should be sourced from the same image for a consistent user experience.
So what we’ll do in this section is as follows:
Create a Host Pool named MD-AVD-HP01 of personal type.
Register the default desktop application group from this hostpool to a new workspace named MD-AVD-WS01.
Lets go to the Azure portal and search for Azure Virtual Desktop. This will bring us into the Azure Virtual Desktop management window:
Now select Host pools under Manage blade and then click on “Create” to add new Host Pool:
We will provide the details required to create a Host Pool.
Project Details – Defines the Host Pool environment
Subscription: Choose the default subscription.
Resource Group: Select md-avd-demo from the drop down.
Host Pool Name: MD-AVD-HP01
Location: North Europe (this should be same as the region of your resource group).
Validation environment: Yes (Validation host pools let you monitor service updates before rolling them out to your production environment. This needs to be set to Yes here as we are joining this to an Azure AD environment).
Host Pool Type: Personal (I need to choose Personal for the demo as I’m using Azure AD. This is not currently supported for Pooled desktops).
Note – when you select “Pooled” as the host pool type, you have additional options. I’ve included a screenshot of what this looks like:
Load Balancing Algorithm: there are two types:
Breadth-first load balancing allows you to evenly distribute user sessions across the session hosts in a host pool.
Depth-first load balancing allows you to saturate a session host with user sessions in a host pool.)
Max Session Limit: limits the simultaneous number of users on the same session host.
Now we click next and go the the the Virtual machines tab. I’m going to leave this at “No” for now – because I am using Azure AD for authentication I habve some additional steps to do before creating my Session Hosts.
We click next and move on to the Workspace tab. Once we select “Yes” to “Register desktop app group”, we need to create a workspace called MD-AVD-WS01:
Finally in the Diagnostics tab, we enable diagnostic settings and choose to send these to our Log Analytics Workspace. As you can see, we can also choose to archive to a storage account or send the events to an Event Hub:
Now we can click on “Review and Create” and review the details in the Validation screen:
Once we are happy click on “Create” to create our Host Pool and we’ll get a screen similar to below to tell us the Deployment is completed:
And we can see that we have a Host Pool created in our Azure Virtual Desktop console:
Configure Azure AD Authentication
Because I’m using Azure AD for the demo, I need to assign my users permissions to access the desktop. Firstly, I need to go to my DAG object in the Application Group of the Host Pool and go to “Assignments”:
We then click on “Add” and select our users:
Azure AD Role Assignments
To allow users to log on to the Virtual Machines, we also need to add Role Assignments. There are 2 we need to add:
Virtual Machine Administrator Login
Virtual Machine User Login
We can ensure that these roles are assigned automatically by assigning this at the IAM level of our Resource Group:
In order for the Host Pool to know that the session hosts are Azure AD joined, we need to add an advanced RDP property. So we go back to my Host Pool, choose “RDP Properties” from the settings menu and under Advanced we add the following string:
Click on “Save” to save the changes.
Create Session Hosts
We’re now ready to create our Session Hosts. So we’ll go back to our Host Pool, select “Session Hosts” from the “Manage” menu and click on “Add”:
The “Basics” tab is already pre-populated with the information from our Host Pool:
This will give us the options to provide details for the VMs we need to add:
Resource Group: Select md-avd-demo from the drop down.
Name prefix: md-avd-sh0
Virtual machine location: North Europe (location should be same as location of your resource group).
Availability options: Select No infrastructure redundancy required from the drop down (again, this is being used for the purposes of the demo).
Image type: Gallery
Image: Windows 10 Enterprise, version 21H2
Virtual machine size: Standard B2s. (You can click on Change Size, then select the size you require and click on Select to choose the size)
Number of VMs: 2
OS Disk Type: Standard HDD (you can choose based on your requirements)
Next we scroll down to the “Network and security” section and specify the Virtual Network and Subnet that we wish to use:
Finally on this screen, we scroll down and specify whether we wish to join an Active Directory or Azure Active Directory. We also specify admin accounts for the Session Host VM’s we are creating:
Finally, on the “Advanced” tab we need to enable Diagnostic Settings and send the logs to our Log Analytics Workspace:
Once all of the info is correct and has been validated, we click Create to create our Session Hosts. Once thats created, we should see our Virtual Machines
And if we drill down into “Session hosts”, we should see both hosts set as available:
Note – this step may take up to 30 minutes to complete, and you may see errors on the Session Hosts. Don’t panic! If you’ve followed the steps above, the errors will eventually clear and the hosts will show as available.
We now need to check and ensure diagnostic features for both the host pool and workspace to allow us to analyse monitoring data. We set this up when creating the host pool and session hosts, but lets make sure its set up and also we can see what we’re going to monitor.
Lets go to our host pool first and we go to Diagnostic Settings in the Monitoring menu:
We do the same check for Workspace to ensure that this is configured correctly:
Lets also enable this for our Session Hosts – we need to do that directly on the VMs in the Resource Group. So we go to the Monitoring menu, select Insights, and then click on “Enable”:
We’ll get a prompt telling us that the VM is not connected to a workspace. We select the Subscription and Workspace that we wish and click “Enable”:
Give that a few minutes and you’ll then go back in and see some data in the Insights page:
Thats where we’ll pause for breath! Lots of information there, so just to recap:
We created our Log Analytics Workspace for logging our monitoring data
Created our Test Users in Azure AD
Created the Host Pool
Created the Assignments to allow users to access the desktops
Created the Service Hosts
Verified that Diagnostic Settings are working
Added our Session Hosts into Monitoring
We’ll continue the demo in the next post where we’ll create our Application Groups for both Desktop and Remote App, connect to our AVD resources using the different methods available. We’ll also look at our monitoring data that being collected.
Its Day 90 of my 100 Days of Cloud journey and in this post I’ll be taking a looks at the benefits and architecture of Azure Virtual Desktop.
In the last post we touched briefly on Azure Virtual Desktop in comparison to Windows 365 Cloud PC. Both solutions allow you to easily support accessibility for users, on any device, from anywhere. However while Windows 365 Cloud PC can be easily deployed and managed, Azure Virtual Desktop has greater flexibility which leads to a greater management overhead for administrators.
In the next 2-3 posts after this one, we’ll demo how to set up an Azure Virtual Desktop deployment, but first let familiarize ourselves with the benefits, core concepts and architecture.
Benefits of Azure Virtual Desktop
With Azure Virtual Desktop you can:
Set up a multi-session Windows 10 deployment that delivers a full Windows 10 with scalability.
Virtualize Microsoft 365 Apps for enterprise and optimize it to run in multi-user virtual scenarios.
Provide Windows 7 virtual desktops with free Extended Security Updates.
Bring your existing Remote Desktop Services (RDS) and Windows Server desktops and apps to any computer.
Virtualize both desktops and apps.
Manage Windows 10, Windows Server, and Windows 7 desktops and apps with a unified management experience.
Bring your own image for production workloads.
Use autoscale to automatically increase or decrease capacity based on time of day, specific days of the week, or as demand changes, helping to manage cost.
Core Concepts and Hierarchy
Before we jump into the Demo, lets take a quick look at some of the key concepts of Azure Virtual Desktop and where they each sit in the hierarchy of an Azure Virtual Desktop architecture.
Host pools are a collection of one or more identical virtual machines within Azure Virtual Desktop tenant environments. Each host pool can be associated with multiple RemoteApp groups, one desktop app group, and multiple session hosts. Host Pools can be one of two types:
Personal, where each session host is assigned to individual users.
Pooled, where session hosts can accept connections from any user authorized to an application group within the host pool. You can set additional properties on the host pool to change its load-balancing behavior, how many sessions each session host can take, and what the user can do to session hosts in the host pool while signed in to their Azure Virtual Desktop sessions. You control the resources published to users through application groups.
There is no limit to the number of pools, and these can be easily scaled either manually or automatically allowing you to add or reduce capacity based on demand which can help manage costs.
An Application group is a logical grouping of applications installed on session hosts in the host pool. An application group can be one of two types:
RemoteApp, where users access the RemoteApps you individually select and publish to the application group.
Desktop, where users access the full desktop By default, a desktop application group (named “Desktop Application Group”) is automatically created whenever you create a host pool. You can remove this application group at any time. However, you can’t create another desktop application group in the host pool while a desktop application group already exists. To publish RemoteApps, you must create a RemoteApp application group. You can create multiple RemoteApp application groups to accommodate different worker scenarios. Different RemoteApp application groups can also contain overlapping RemoteApps.
A workspace is a logical grouping of application groups in Azure Virtual Desktop. Each Azure Virtual Desktop application group must be associated with a workspace for users to see the remote apps and desktops published to them.
After you’ve assigned users to their application groups, they can connect to a Azure Virtual Desktop deployment with any of the Azure Virtual Desktop clients.
The diagram below is a typical Azure Virtual Desktop Architecture:
Components – Microsoft Managed versus Customer Managed
We’ve all seen the “as a service” model which is used sometimes to explain what services Microsoft manages versus what a customer managed across IAAS, PAAS and SAAS offerings.
Azure Virtual Desktop is no different in that some of the components of the service are managed by Microsoft and some are required be be managed by the customer. Lets do a quick breakdown of these.
Microsoft manages the following Azure Virtual Desktop services, as part of Azure:
Web Access Service: allows users access virtual desktops and remote apps through a web browser from anywhere on any device. You can secure Web Access using multifactor authentication in Azure Active Directory.
Remote Connection Gateway Service: allows remote users to connect to Azure Virtual Desktop apps and desktops from any internet-connected device that can run an Azure Virtual Desktop client. The client connects to a gateway, which then orchestrates a connection from a VM back to the same gateway.
Connection Broker Service: service manages user connections to virtual desktops and remote apps. The Connection Broker provides load balancing and reconnection to existing sessions.
Remote Desktop Diagnostics: event-based aggregator that marks each user or administrator action on the Azure Virtual Desktop deployment as a success or failure. Administrators can query the event aggregation to identify failing components.
Extensibility or Management: Azure Virtual Desktop includes several extensibility components. You can manage Azure Virtual Desktop using Windows PowerShell or with the provided REST APIs, which also enable support from third-party tools.
Customers manage these components of Azure Virtual Desktop solutions:
Azure Virtual Network: allows Azure resources like VMs communicate privately with each other and with the internet. You can enforce your organizations policies by connecting Azure Virtual Desktop host pools to an Active Directory domain. You can connect an Azure Virtual Desktop to an on-premises network using a virtual private network (VPN), or use Azure ExpressRoute to extend the on-premises network into the Azure cloud over a private connection.
Identity – there are 2 options for authentication against Azure Virtual Desktop:
Azure Active Directory: Azure Virtual Desktop uses Azure AD for identity and access management. Azure AD integration applies Azure AD security features like conditional access, multi-factor authentication, and the Intelligent Security Graph, and helps maintain app compatibility in domain-joined VMs.
Active Directory Domain Services: Azure Virtual Desktop VMs must domain-join an AD DS service, and the AD DS must be in sync with Azure AD to associate users between the two services. You can use Azure AD Connect to associate AD DS with Azure AD.
Azure Virtual Desktop session hosts: A host pool can run the following operating systems:
Windows 7 Enterprise
Windows 10 Enterprise
Windows 10 Enterprise Multi-session
Windows Server 2012 R2 and above
Custom Windows system images with pre-loaded apps, group policies, or other customizations
Azure Virtual Desktop Workspace: this is used to manage and publish host pool resources.
As I also touched briefly on in the last post, you also have the option to host your Azure Virtual Desktop environment locally on an on-premises Azure Stack HCI infrastructure. This however is still in preview, and you can find more details here.
Thats a high-level overview of the benefits and concepts of Azure Virtual Desktop. You can find the full details of how it works in the official Microsoft Documentation here. In the next post, we’ll start our Demo build of an AVD environment!
Its Day 89 of my 100 Days of Cloud journey, and todays post is going to give a quick comparison between Windows 365 Cloud PC and Azure Virtual Desktop.
The global Covid-19 pandemic has accelerated the demand for cloud-based solutions. Businesses and Educational Institutions have needed to quickly adapt to remote work and distance learning in a hybrid world.
While we’ve all seen or heard of Windows Remote Desktop Services, Citrix would to most of us be more recognizable as the leader in the VDI and Remote Desktop space down through the years. However, Microsoft are playing catch-up and given the integration offerings that are available across the multitude of Cloud Services, they have 2 offerings in Windows 365 Cloud PC and Azure Virtual Desktop. Both solutions allow you to easily support accessibility for users, on any device, from anywhere.
So they both sound like they do the same thing, and when logging on both look the same, but they’re not really. Lets take a closer look at the differences between then, the difference in costs and licencing, and try to determine which one is the best fit for your business.
Windows 365 Cloud PC
Windows 365 is a cloud-based service that automatically creates a new type of Windows virtual machine (Cloud PCs) for your end users. Each Cloud PC is assigned to an individual user and is their dedicated Windows device. Licences are purchased either through the Microsoft 365 Admin center or through the Windows Products site (if you do not have a Microsoft 365 Subscription), and are assigned directly to the user. When you assign a licence, the Cloud PC is automatically provisioned for you.
There are 2 subscription levels to choose from which each have a number of size options:
Business: this is for smaller organizations (up to 300 users) that want a simple way to buy, deploy, and manage Cloud PCs. The 3 size options are:
Basic (approx €35 per month): Recommended for light productivity and web browsers. Comes with 2 vCPU, 4GB RAM and 128GB of Storage. Supports Desktop versions of Office Apps, Teams and OneDrive
Standard (approx $40 per month): Recommended for full productivity and line of business apps. Comes with 2 vCPU, 8GB RAM and 128GB of Storage. Supports Desktop versions of Office Apps, Teams and OneDrive
Premium (approx $65 per month): Recommended for high performance workloads and heavy data processing. Comes with 4 vCPU, 16GB RAM and 128GB of Storage. Supports Desktop versions of Office Apps, Teams and OneDrive and also Dynamics 365, PowerBI and Visual Studio.
Enterprise: this is for organizations that want to manage their Cloud PCs with Microsoft Endpoint Manager and take advantage of integrations with other Microsoft services. There is no user limit on the Enterprise tier. The 3 size options are:
Basic (approx €35 per month): Integrated with Microsoft Endpoint Manager. Recommended for light productivity and web browsers. Comes with 2 vCPU, 4GB RAM and 128GB of Storage. Supports Desktop versions of Office Apps, Teams and OneDrive
Standard (approx $40 per month): Integrated with Microsoft Endpoint Manager. Recommended for full productivity and line of business apps. Comes with 2 vCPU, 8GB RAM and 128GB of Storage. Supports Desktop versions of Office Apps, Teams and OneDrive
Premium (approx $65 per month): Integrated with Microsoft Endpoint Manager. Recommended for high performance workloads and heavy data processing. Comes with 4 vCPU, 16GB RAM and 128GB of Storage. Supports Desktop versions of Office Apps, Teams and OneDrive and also Dynamics 365, PowerBI and Visual Studio.
So as we can see, there is no difference in the performance levels between the tiers, the only difference is the Microsoft Endpoint Manager integration on the Enterprise tier.
The big differences and advantage that Enterprise offers is:
Cloud PCs can be joined to your enterprise Active Directory domain and synced to Azure AD, or Azure AD joined.
the ability to connect your Cloud PC to your on-premises resources.
allows you to use custom images that you can build yourself as the base images for your Cloud PCs.
If you are not sure which option is best for you, Microsoft provides a Cloud PC Chooser website where you can fill in a number of questions to determine which Windows 365 Cloud PC is the right option for your business.
Azure Virtual Desktop
While Azure Virtual Desktop is similar in many ways to Windows 365 Cloud PC, these are really only on the surface. It also provides a virtual desktop to the user, but there is more flexibility in how this is delivered. However that flexibility comes with a greater need for administration and a larger workload for IT professionals.
One of the major benefits of Azure Virtual Desktop is that it can be delivered as either a personal desktop in the same way as Windows 365 Cloud PC or a pooled desktop where multiple users can access a pool of desktops.
Personal Desktops functions in the same way as Windows 365 Cloud PC but runs in a “pay as you use” pricing model and also allows for multiple user sessions on a single Windows 10 or 11 desktop.
Pooled desktops or personal host pools are a collection of nodes that runs a “user to desktop” relationship. You can create a pool of nodes to whatever sizing specification you require and assign them to users, so for example you could create a pool of 8 nodes and assign 40 users to those nodes. The user settings, profile and data changes are still present after logout as these are abstracted away from the OS Drives of each node to an FSLogix Profile container which holds the user profiles and is mounted transparently at logon to integrate with the User Session.
There is no limit to the number of pools, and these can be easily scaled either manually or automatically allowing you to add or reduce capacity based on demand which can help manage costs.
There is also an option (currently in preview) to run Azure Virtual Desktop on your on-premises Azure Stack HCI infrastructure which can further reduce costs and meet data locality requirements.
So thats an in-depth look and Windows 365 Cloud PC and a brief look at the differences in Azure Virtual Desktop, which I’m going to cover in more detail in the next few posts.
So which is the right choice? Depends on your requirements, Windows 365 Cloud PC gives you recurring monthly costs with very little administration or overheads, while Azure Virtual Desktop gives you more flexibility and a “pay as you use” model, but the administration effort is higher. There are plenty of 3rd party integrators out there to help with this administration load, and Nerdio is premier player in the market at present.
Its Day 88 of my 100 Days of Cloud journey and as promised, in todays post I’ve finally gotten to Azure Kubernetes Service.
On Day 86, we introduced the components that make up Kubernetes, tools used to manage the environment and also some considerations you need to be aware of when using Kubernetes, and in the last post we installed a local Kubernetes Cluster using Minikube.
Today we move on to Azure Kubernetes Service and we’ll look first at how this differs in architecture from an on-premises installation of Kubernetes.
Azure Kubernetes Service
As always lets start with the definition – Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly deploy and manage clusters. The operational overhead is offloaded to Azure, and it handles critical tasks such as health monitoring and maintenance.
When you create an AKS cluster, a control plane or master node is automatically created and configured, and provided at no cost as a managed Azure resource. You only pay for the nodes attached to the AKS cluster. The control plane and its resources reside only on the region where you created the cluster.
AKS Cluster Nodes are run on Azure Virtual Machines (which can be either Linux or Windows Server 2019), so you can size your nodes based on the storage, CPU, memory and type that you require for your workloads. These are billed as standard VMs so any discounts (including reservations) are automatically applied.
Its important to note though that VM sizes with less than 2 CPUs may not be used with AKS – this is to ensure that the required system required pods and applications can run reliably.
When you scale out the number of nodes, Azure automatically creates and configures the requested number of VMs. Nodes of the same configuration are known as Node Pools and you define the number of nodes required in a pool during initial setup (which we’ll see below).
Azure has the following limits:
Maximum of 5000 Clusters per subscription
Maximum of 100 Nodes per cluster with Virtual Machine Availability Sets and Basic Load Balancer SKU
Maximum of 1000 Nodes per cluster with Virtual Machine Scale Sets and Standard Load Balancer SKU
Maximum of 100 Node Pools per cluster
Maximum of 250 Pods per node
When you create a cluster using the Azure portal, you can choose a preset configuration to quickly customize based on your scenario. You can modify any of the preset values at any time.
Standard – Works well with most applications.
Dev/Test – Use this if experimenting with AKS or deploying a test application.
Cost-optimized – reduces costs on production workloads that can tolerate interruptions.
Batch processing – Best for machine learning, compute-intensive, and graphics-intensive workloads. Suited for applications requiring fast scale-up and scale-out of the cluster.
Hardened access – Best for large enterprises that need full control of security and stability.
If we go into the Portal and “Create a Resource”, select “Containers” frm the categories and click on “Create” under Kubernetes Service:
As we can see this throws us into our screen for creating our Cluster. As always, we need to select a Subscription and Resource Group. Down below this is where it gets interesting, and we can see the preset configurations that we described above:
We can see that “Standard ($$)” is selected by default, and if we click on “Learn more and compare presets”, we get a screen showing us details of each option:
I’m going to select “Dev/Test ($)” and click apply to come back to the Basics screen. I now give the Cluster a name and select a region. We can also see that I can select different Kubernetes versions from the dropdown:
Finally on this screen, we select the Node Pool options and can select Node size (you can change the size and select whatever VM size that you need to meet your needs), manual or auto scaling and the Node Count:
We click next and move on to the “Node Pools” screen, where we can add other Node Pools and select encryption options:
The next screen is “Access” where we can specify RBAC access and also AKS-managed Azure AD which controls access using Azure AD Group membership. Note that this option cannot be disabled after it is enabled:
The next screen is Networking and this is where things get interesting – we can use kubenet to create a VNet using default values, or Azure CNI (Container Networking Interface) which allows you to specify a subnet from your own managed Vnets. We can also specify Network policies to define rules for ingress and egress traffic in and out of the cluster.
The next screen is Integrations, where we can integrate with Azure Container Registry and also enable Azure Monitor and Azure Policy.
At this point, we can click Review and Create and go make a cup of tea while thats being created.
And once thats done (the deployment, not the tea….), we can see the Cluster has been created:
One interesting thing to note – the cluster has been created in my “MD-AKS-Test” Resource Group, however a second RG has been created that containes the NSG, Route Table, VNet, Load Balancer, Managed Identity and Scale Set, so its separating the underlying management components from the main cluster resource.
So at thsi point, we need to jump into Cloud Shell and manage the cluster from there. When we launch Cloud Shell and the prompt appears, run:
az aks get-credentials --resource-group MD-AKS-Test --name MD-AKS-Test-Cluster
This sets our cluster as the current context in the Cloud Shell and allows us to run kubectl commands against it. We can now run kubectl get nodes to show us the status of the nodes in our node pool:
At this point, you are ready to deploy an application into your Cluster! You can use the process as described here to create your YAML file and deploy and test the sample Azure Voting App. Once this is deployed, you can check the “Workloads” menu from your cluster in the Portal to see that this is running:
If we click into either of the “azure-vote” deployments, we can see the underlying Pod in place with its internal IP and the node its assigned to:
To delete the cluster, run az aks delete --resource-group MD-AKS-Test --name MD-AKS-Test-Cluster --yes --no-wait.
Azure Kubernetes Service or run your own Kubernetes Cluster?
So this is the million dollar question and there really is no correct answer – it really does depend on your own particular use case.
Lets try to break it down this way – Deploying and operating your own Kubernetes cluster is complex and will require more work to get the underlying technology set up, such as networking, monitoring, identity management and storage.
The flip side is that if you go with AKS its a much faster way to get up and running with Kubernetes and you have full access to technologies such as Azure AD and Azure Key Vault, but you don’t have access to your control plane or master nodes. There is also the cost element to think of as Kubernets can get expensive running in the cloud depending on how much you decide to scale.
So thats a look at Azure Kubernetes Service and also the benefits of running Kubernetes in Azure versus On-Premises.
The last few posts have only really scratched the surface on Kubernetes – there is a lot to learn about the technology and a steep learning curve. One thing for sure is that Kubernetes is a really hot technology right now and there is huge demand for people who have it as a skill.
If you want to follow some folks who know their Kubernetes inside out, the people I would recommend are:
Chad Crowell who you can follow on Twitter or his blog. Chad also has an excellent Kubernetes from Scratch course over at CloudSkills.io containing over 30 real world projects to help you ramp up on Kubernetes.
Michael Levan who you can follow from all his socials on Linktree and who has published multiple content pieces on his social channels.
Richard Hooper (aka Pixel Robots and Microsoft Azure MVP) who you can follow on Twitter or his blog which contains in-depth blog posts and scenarios for AKS. Richard also co-hosts the Azure Cloud Native user group which you can find on Meetup.
Its Day 87 of my 100 Days of Cloud journey and as promised, in todays post I’m going to install and configure Kubernetes locally using Minikube.
In the last post, we listed out all of the components that make up Kubernetes, tools used to manage the environment and also some considerations you need to be aware of when using Kubernetes.
Local Kubernetes – Minikube
We’re going to install Minikube on my Windows Laptop, however you can also install for both Linux and MacOS if thats your preference. These are the requirements to install Minikube:
2 CPUs or more
2GB of free memory
20GB of free disk space
Container or virtual machine manager, such as: Docker, Hyperkit, Hyper-V, KVM, Parallels, Podman, VirtualBox, or VMware Fusion/Workstation
So we download the latest stable release of Minikube from here. The installer is a simple install, and will display this screen once completed:
Now, we run an administrative PowerShell session, and run minikube start in order to start our cluster. Note that because I’m running on this on Windows 10, minikube automatically tried to create the cluster in Hyper-V. Therefore, I needed to run minikube start --driver=docker in order to force minikube to use docker to create the cluster.
So we can see from the output above that the cluster has been created successfully. And the eagle-eyed will also notice that we are using Kubernetes version 1.23.3, which is not the latest version. This is because Kubernetes no longer supports Docker as of version 1.24. Full support will be provided up to April 2023 for all versions up to 1.23 that run Docker. I’ve decided to base this build around Docker as I know it, but you can read more about the changes here and how they affect existing deployments here.
So we move on, and the first thing we need to do is install kubectl. You can download this directly by running minikube kubectl -- get po -A which will go off and install the appropriate version for your OS.
We can see that this has listed all of the Cluster services. We can also run minikube dashboard to launch a graphical view of all aspects of our Cluster:
Now that we’re up and running, lets do a sample webserver deployment. So we run the following commands (as we can see, the image is coming from gcr.io which is the Google Container Registry):
Now lets run kubectl get services hello-minikube to check if the deployment is running:
And if we now look in the Dashboard, we can see that the deployment is running:
Now we can use kubectl port-forward service/hello-minikube 7080:8080 to expose the service on http://localhost:7080/, and when we browse to that we can see the metadata values returned:
And thats effectively it – your local cluster is running. You can try running another image from the Google Container Registry also, the full list of images can be found at the link here.
There are also a number of useful commands listed below that are useful to know when running minikube:
minikube pause – Pause Kubernetes without impacting deployed applications minikube unpause – Unpause a paused instance minikube stop – Halt the cluster minikube config set memory 16384 – Increase the default memory limit (requires a restart) minikube addons list – Browse the catalog of easily installed Kubernetes services minikube start -p aged --kubernetes-version=v1.16.1 – Create a second cluster running an older Kubernetes release (this is potentially useful given Docker is no longer supported) minikube delete --all – Delete all of the minikube clusters
You can find all of the information you need on Minikube including documentation and tutorials here at the official site.
So thats how we can run Kubernetes locally using Minikube. Slight change of plan, I’m going to do the Azure Kubernetes Service install in the next post, as we’ll go in-depth with that and look at the differences in architecture between running Kubernetes locally and in a Cloud Service.
Its Day 86 of my 100 Days of Cloud journey, and in todays post I’m going to give an introduction to Kubernetes.
We introduced Containers on Day 81 and gave an overview of how they work and how they differ in architecture when compared to traditional Bare Metal Physical or Virtual Infrastructure. A container is a lightweight environment that can be used to build and securely run applications and their dependencies. We need container management tools such as Docker to run commands and manage our containers.
We saw how easy it is to deploy and manage containers during the series where I built a monitoring system using a telegraf agent to pull data into an InfluxDB docker container, and then used a Grafana Container to display metrics from the time series database.
So lets get back to that for a minute and understand a few points about that system:
The Docker Host was an Ubuntu Server VM, so we can assume that it ran in a highly available environment – either an on-premises Virtual Cluster such as Hyper-V or VMware or on a Public Cloud VM such as an Azure Virtual Machine or an Amazon EC2 Instance.
It took data in from a single datasource, which was brought into a single time series database, which then was presented on a single dashboard.
So altogether we had 1 host VM and 2 containers. Because the containers and datasource were static, there was no need for scaling or complex management tasks. The containers were run with persistent storage configured, the underlying apps were configured and after that the system just happily ran.
So in effect, that was a static system that required very little or no management after creation. But we also had no means of scaling it if required.
What if we wanted to build something more complex, like a an application with multiple layers where there is a requirement to scale out apps, and respond to increased demand by deploying more container instances, and to scale back if demand is decreasing?
This is where container orchestration technologies are useful because they can handle this for you. A container orchestrator is a system that automatically deploys and manages containerized apps. It can dynamically respond to changes in the environment to increase or decrease the deployed instances of the managed app. Or, it can ensure all deployed container instances get updated if a new version of a service is released.
And this is where Kubernetes comes in!
Kubernetes is an open-source platform created by Google for managing and orchestrating containerized workloads. Kubernetes is also known as “K8s”, and can run any Linux container across private, public, and hybrid cloud environments. Kubernetes allows you to build application services that span multiple containers, schedule those containers across a cluster, scale those containers, and manage the health of those containers over time.
Its important to note though that all of these tasks require configuration and a good understanding of the underlying technologies. You need to understand concepts such as virtual networks, load balancers, and reverse proxies to configure Kubernetes networking.
A Kubernetes cluster consists of:
A set of worker machines, called nodes, that run containerized applications. Every cluster has at least one worker node.
A master node or control plane manages the worker nodes and the Pods in the cluster
Lets take a look at the components that are contained in each of these components
Control Plane or Master Node
The following services make up the control plane for a Kubernetes cluster:
API server – the front end to the control plane in your Kubernetes cluster. All the communication between the components in Kubernetes is done through this API.
Backing store – used by Kubernetes to save the complete configuration of a Kubernetes cluster. A key-value store called etcd stores the current state and the desired state of all objects within your cluster.
Scheduler – responsible for the assignment of workloads across all nodes. The scheduler monitors the cluster for newly created containers, and assigns them to nodes.
Controller manager – tracks the state of objects in the cluster. There are controllers to monitor nodes, containers, and endpoints.
Cloud controller manage – integrates with the underlying cloud technologies in your cluster when the cluster is running in a cloud environment. These services can be load balancers, queues, and storage.
Worker Machines or Nodes
The following services run on the Kubernetes node:
Kubelet – The kubelet is the agent that runs on each node in the cluster, and monitors work requests from the API server. It monitors the nodes and makes sure that the containers scheduled on each node run, as expected.
Kube-proxy – The kube-proxy component is responsible for local cluster networking, and runs on each node. It ensures that each node has a unique IP address.
Container runtime – the underlying software that runs containers on a Kubernetes cluster. The runtime is responsible for fetching, starting, and stopping container images.
Unlike in a Docker environment, you can’t run containers directly on Kubernetes. You package the container into a Kubernetes object called a pod, which is effectively a container with all of the management overhead stripped away and passed back to the Kubernetes Cluster.
A pod can contain multiple containers that make up part of or all of your application, however in general a pod will never contain multiple instances of the same application. So for example, if running a website that requires a database back-end, both of those containers would be packaged into a pod.
A pod also includes information about the shared storage and network configuration, and yaml coded tempates which define how to run the containers in the pod.
Managing your Kubernetes environment
You have a number of options for managing your Kubernetes environment:
kubectl – You can use kubectl to deploy applications, inspect and manage cluster resources, and view logs. kubectl can be installed on Linux, macOS and Windows platforms.
kind – this is used for running Kubernetes on your local device.
minikube – similar to kind in that it allows you to run Kubernetes locally.
kubeadm – this is used to create and manage kubernetes clusters in a user friendly way.
kubectl is by far the most used in enterprise Kubernetes environments, and you can find more details in the documentation here.
While Kubernetes provides an orchestration platform that means you can run your clusters and scale as required, there are certain things you need to be aware that it cannot do, such as:
Deployment, scaling, load balancing, logging, and monitoring are all optional. You need to configure these and fit these into your specific solution requirements.
There is no limit to the tyes of apps that can run – if it can run in a container, it can run on Kubernetes.
Kubernetes doesn’t provide middleware, data-processing frameworks, databases, caches, or cluster storage systems.
A container runtime such as Docker is required for managing containers.
You need to manage the underlying environment that Kubernetes runs on (memory, networking, storage etc), and also manage upgrades to the Kubernetes platform itself.
Azure Kubernetes Service
All of the above considerations and indeed all of the sections we’ve covered in this post require detailed knowledge of both Kubernetes and also the underlying dependencies. This overhead is removed in some part by cloud services such Azure Kubernetes Service (AKS) which reduces these challenges by providing a hosted Kubernetes environment.
As a hosted Kubernetes service, Azure handles critical tasks, like health monitoring and maintenance. Since Kubernetes masters are managed by Azure, you only manage and maintain the agent nodes.
You can create an AKS cluster using:
The Azure CLI
The Azure portal
Using template-driven deployment options, like Azure Resource Manager templates, Bicep and Terraform.
When you deploy an AKS cluster, the Kubernetes master and all nodes are deployed and configured for you. Advanced networking, Azure Active Directory (Azure AD) integration, monitoring, and other features can be configured during the deployment process.
And thats a description of Kubernetes, how it works, why its useful and the components that are contained within it. In the next post, we’re going to put all that theory into practice and set up both a local Kubernetes Cluster using minikube, and also look at deploying cluster onto Azure Kubernetes Service.
Its Day 85 of my 100 Days of Cloud journey, and in todays post I’m looking at the options for Container Security in Azure.
We looked at an overview of Containers on Day 81, how they work like a virtual machines in that they utilize the underlying resources offered by the Container Host, but instead of packaging your code with an Operating System, each container only contains the code and dependencies needed to run the application and runs as a process inside the OS Kernel. This means that containers are smaller and more portable, and much faster to deploy and run.
We need to secure Containers in the same way as we would any other services running on the Public Cloud. Lets take a look at the different options that are available to us for securing Containers.
Use a Private registry
Containers are built from images that are stored in either public repositories such as Docker Hub, a private registry such as Docker Trusted Registry, which can be installed on-premises or in a virtual private cloud, or a cloud-based private registry such as Azure Container Registry.
Like all software that is publicly available on the internet, a publicly available container image does not guarantee security. Container images consist of multiple software layers, and each software layer might have vulnerabilities.
To help reduce the threat of attacks, you should store and retrieve images from a private registry, such as Azure Container Registry or Docker Trusted Registry. In addition to providing a managed private registry, Azure Container Registry supports service principal-based authentication through Azure Active Directory for basic authentication flows. This authentication includes role-based access for read-only (pull), write (push), and other permissions.
Ensure that only approved images are used in your environment
Allow only approved container images. Have tools and processes in place to monitor for and prevent the use of unapproved container images. One option is to control the flow of container images into your development environment. For example, you only allow a single approved Linux distribution as a base image in order to minimize the surface for potential attacks.
Another option is to utilize Azure Container Registry support for Docker’s content trust model, which allows image publishers to sign images that are pushed to a registry, and image consumers to pull only signed images.
Monitoring and Scanning Images
Use solutions that have the ability to scan container images in a private registry and identify potential vulnerabilities. Azure Container Registry optionally integrates with Microsoft Defender for Cloud to automatically scan all Linux images pushed to a registry to detect image vulnerabilities, classify them, and provide remediation guidance.
Credential management is one of the most basic tyes of security. Because containers can spread across several clusters and Azure regions, you need to ensure that you have secure credentials required for logins or API access, such as passwords or tokens.
Using tools such as TLS encryption for secrets data in transit, least-privilege Azure role-based access control (Azure RBAC), and Azure Key Vault to securely store encryption keys and secrets (such as certificates, connection strings, and passwords) for containerized applications.
Removing unneeded privileges from Containers
You can also minimize the potential attack surface by removing any unused or unnecessary processes or privileges from the container runtime. Privileged containers run as root. If a malicious user or workload escapes in a privileged container, the container will then run as root on that system.
Enable Auditing Logging for all Container administrative user access
Use native Azure Solutions to maintain an accurate audit trail of administrative access to your container ecosystem. These logs might be necessary for auditing purposes and will be useful as forensic evidence after any security incident. Azure solutions include:
Integration of Azure Kubernetes Service with Microsoft Defender for Cloud to monitor the security configuration of the cluster environment and generate security recommendations
Azure Container Monitoring solution
Resource logs for Azure Container Instances and Azure Container Registry
So thats a brief overview of how we can secure containers running in Azure and ensure that we are only using approved images that have been scanned for vulnerabilities.