Azure Virtual Desktop - Creation and Cost Savings

Wanted to do a write-up while it's still fresh on my mind, but have a project coming up that requires a VD deployment. The environment will rarely be used, so cost saving is pretty important in this particular case. To accomplish this, I wanted to dig into Azure's "Start VM on connect" feature. I utilized some of the work from AVD Punks: Link Here to make it happen, but the whole story is below.


So first, let's start with how to actually setup AVD:

Feel free to skip if this is something with which you already have familiarity


Create your Resource Group within Azure. This can be called whatever you like



Then we'll create out Virtual Network within the Resource Group that was just setup:





You can proceed with all of the defaults, unless you want to enable any advanced security features, like DDOS protection or VNet Encryption, AZ Firewall or Bastion. The default IP Scheme will be fine for a development environment as well, but you can obviously change if the default net of 10.0.0.0/16 conflicts with any of the networks that you will be integrating with your AVD Network.


Now, we can configure Azure Virtual Desktop: Host Pools/Workspace/App Group

Search for AVD in the bar



Enter the information that you want for your environment into the "Basics" tab of Create a Host Pool

Under "Session Hosts", select "Yes" on adding a virtual machine

  • Image can be unique to your needs, but I'm using Windows 11 24H2 + MS365 Apps as of the time of this writing
  • Select the Virtual Network that you created earlier, in the Virtual Network tab
    • Network default settings are fine, unless you want to do something unique in your environment
  • Domain to Join: I selected Microsoft Entra ID for my development environment, but you can enroll in Active Directory, if the VNet in your environment either has a Domain Controller connected or you have a VPN to a network that has access to a Domain Controller
Under "Workspace"
  • Register App Group: Yes
    • Create new workspace and give it a name

Permission to Access Virtual Desktop

   Assign Virtual Machine User or Administrator Login to either your user or security group, to give login permissions to the VM. You'll need to do this at the Subscription level

    You'll also need to assign Desktop Virtualization Power On Contributor to the Azure Virtual Desktop application. This will need to be done at the Subscription level as well

    

 Licensing

I use Microsoft 365 Business Premium for my user in a development environment, but refer to Microsoft Docs on what other licenses can be used to access Virtual Desktop. If the user that you want to test with isn't licensed correctly, then you won't be able to login. Also, the Business Premium license will let you auto-subscribe within the Remote Desktop (Windows) or Windows App (Mac), instead of having to type in the subscription URL or creating a CNAME Record for your Domain.



Cost Saving: Start/Stop VM and Deallocation

Ok...... so we've come a long way to get here, but we're here.... finally lol


Create a Group Policy for User Sign out on Disconnect


We'll create a Group Policy Object to sign out users who disconnect from the Session Host that we created earlier on. This can also be done through the Registry as well as through Intune, but we'll stick to Local Policy now since there's only one host involved in this Development environment




Computer Configuration > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits: Set Time Limit for Disconnected Users

  • I set this to 1 Minute, as you can see. If you wanted to extend, so that the user isn't virtually immediately signed out, then feel free

Create a Scheduled Task within the Session Host



Create your Trigger for the Scheduled Task



Create our action, to shutdown the VM after user sign out




Defaults are fine for the remainder of the task. Feel free to add delays if you'd like


Create a Function App within Azure to Deallocate the VMs that are shutdown


Search for Function App within Azure



Create a Function App

  • Basics
  • Consumption
  • Instance Name: Whatever you like
  • Publish: Code
  • Runtime Stack: Powershell Core
  • Version: Most Recent (7.4 as of this writing)
  • Operating System: Windows
  • Monitoring
  • Enable Application Insights: Yes (You can turn this off, but I think you'll appreciate the login ability)

Identity




Enable "System Assigned Identity"

Add role assignment to the Function App. This will give the app permission to monitor and work within either your Subscription or the Resource Group housing your Virtual Desktop




Add your Environment Variables. This will inform our upcoming Powershell script of what data to read.

In the "Value" field, set to whatever the name is of the Resource Group that houses your virtual desktop. In my case, it is "autocad"





Update Azure App Files: requirements.psd1 file with these lines

   'Az.Accounts' = '2.10.4'
    'Az.Compute' = '5.2.0'



Create a Function for your app




Add this to the function script that you just created:

$StoppedVMs = Get-AzVM -ResourceGroupName $env:ResourceGroupName -Status | Where-Object {($_.powerstate -eq "VM stopped")}
if ($null -ne $StoppedVMs){
 foreach ($VM in $StoppedVMs){
 Write-Host "VM $($VM.Name) will be deallocated now..."
 $StopVM = Stop-AzVM -Name $VM.Name -ResourceGroupName $env:ResourceGroupName -Force
 If ($StopVM.Status -eq "Succeeded") {
 Write-Host "VM $($VM.Name) was successfully deallocated..."
 } else {
 Write-Host ("Something went wrong! Please check the Azure activity log ...")
 }
 }
} else {
 Write-Host ("No VMs could be found in the status stopped...")
}





Restart your app:





Finally time to test! We made it together and I feel it! I'm almost out of breath, just from typing this up 🫠


Any complaints, concerns, questions, issues, etc, feel free to hit me up!

Comments

Post a Comment

Popular posts from this blog

This is how it all starts......

 Hello to everyone who may or may not ever read this. Really just kicking off a space to brain dump or pour out some thought. Not living for the "Comments Section" or much else here, but wanted a place to put some short or long format posts. This will mainly be centered around IT projects or labs that I may be working on. Some may be completed and some might be abandoned. A lot of those posts will act more as a documentation hub, for me to have a place to potentially review some of the work from days past. Some of the hurdles that are encountered and some of the victories that may be tasted. I may add some pictures here and there, but we'll see what all comes out. Optimistically, this could be a fun way to pass time, compared to Instagram.... :)
Read more

Azure Files - Multi Site Sync w/ Active Directory Auth Integration

Image
  Spent some time this week building a multi-site Azure File Sync lab. The goal was to get into the weeds a bit more for a more cloud based file sharing platform that's more robust that's SharePoint. The setup involved: - New AD forest with Entra sync. - Four VMs: One primary DC and three RODCs/File Sync servers representing remote sites. - VNET peering to the main network. - Azure Storage Sync configuration - Azure Storage Account bound to AD DS for file share authentication. I also dug into Microsoft's Entra Kerberos solution for allowing access from non-domain joined devices in WFH scenarios. It's an interesting option that gives access without requiring local domain joins (though a working AD domain is still a pre-req). I opted out of this, to keep it a bit more streamlined in my case. It was a fun little project. The build and configuration took a few hours, but Azure's platform is pretty bulletproof, so a few docs and some trial and error got us across the fin...
Read more