Virtualization - Cloud

Day: December 25, 2020

Windows Virtual Desktop Environment structure

Windows Virtual Desktop is a service that gives users easy and secure access to their virtualized desktops and RemoteApps. This topic will tell you a bit more about the general structure of the Windows Virtual Desktop environment.

Host pools

A host pool is a collection of Azure virtual machines that register to Windows Virtual Desktop as session hosts when you run the Windows Virtual Desktop agent. All session host virtual machines in a host pool should be sourced from the same image for a consistent user experience.

A host pool can be one of two types:

  • Personal, where each session host is assigned to individual users.
  • Pooled, where session hosts can accept connections from any user authorized to an app group within the host pool.

You can set additional properties on the host pool to change its load-balancing behavior, how many sessions each session host can take, and what the user can do to session hosts in the host pool while signed in to their Windows Virtual Desktop sessions. You control the resources published to users through app groups.

App groups

An app group is a logical grouping of applications installed on session hosts in the host pool. An app group can be one of two types:

  • RemoteApp, where users access the RemoteApps you individually select and publish to the app group
  • Desktop, where users access the full desktop

By default, a desktop app group (named “Desktop Application Group”) is automatically created whenever you create a host pool. You can remove this app group at any time. However, you can’t create another desktop app group in the host pool while a desktop app group exists. To publish RemoteApps, you must create a RemoteApp app group. You can create multiple RemoteApp app groups to accommodate different worker scenarios. Different RemoteApp app groups can also contain overlapping RemoteApps.

To publish resources to users, you must assign them to app groups. When assigning users to app groups, consider the following things:

  • A user can be assigned to both a desktop app group and a RemoteApp app group in the same host pool. However, users can only launch one type of app group per session. Users can’t launch both types of app groups at the same time in a single session.
  • A user can be assigned to multiple app groups within the same host pool, and their feed will be an accumulation of both app groups.

Workspaces

A workspace is a logical grouping of application groups in Windows Virtual Desktop. Each Windows Virtual Desktop application group must be associated with a workspace for users to see the remote apps and desktops published to them.

End users

After you’ve assigned users to their app groups, they can connect to a Windows Virtual Desktop deployment with any of the Windows Virtual Desktop clients.

WVD Control Plane and User Connection Flow

Microsoft manages the following Windows Virtual Desktop services as part of Azure:


Web Access

The Web Access service within Window Virtual Desktop lets user’s access virtual desktops and remote apps through an HTML5-compatible web browser as they would with a local PC, from anywhere on any device. Web Access is secured for Diageo users using OKTA multifactor authentication.

Gateway

The Remote Connection Gateway service connects remote users to Windows Virtual Desktop apps and desktops from any internet-connected device that can run a Windows Virtual Desktop client. The client connects to a gateway, which then orchestrates a connection from a VM back to the same gateway.

Connection Broker

The Connection Broker service manages WVD user connections to virtual desktops and remote apps. The Connection Broker provides load balancing and reconnection to existing sessions.

Diagnostics

Remote Desktop Diagnostics is an event-based aggregator that marks each user and administrator action on the Windows Virtual Desktop deployment as a success or failure. WVD Administrators can query the event aggregation to identify failing components as per requirements.

Extensibility components

Windows Virtual Desktop includes several extensibility components. Windows Virtual Desktop can be managed using Windows PowerShell or with the provided REST APIs, which also enable support from third-party tools. WVD team is using Azure ARM/GUI for WVD management for this deployment.

WVD User Connection Traffic flow

WVD uses Reverse Connect, which means that no inbound ports need to be opened on the VM to setup the RDP connection. Once the connection flow proceeds, bidirectional communication between session hosts/host pools will go over port https (443).


Windows Virtual Desktop is a global load balanced service via Azure front-door. This means that the traffic flow always goes via the nearest management control-plane/service location.

User Connection Flow

  1. User launches RD client which connects to Azure AD, Azure MFA, user signs in, and Azure AD returns token
  2. RD client presents token to Web Access, Broker queries DB to determine resources authorized for user
  3. User selects resource, RD client connects to Gateway
  4. Broker orchestrates connection from host agent to Gateway
    RDP traffic now flows between RD client and session host VM over connections 3 and 4

© 2021 Tech Blog

Theme by Anders NorenUp ↑