Architecture of Azure Virtual Desktop

Figure 1 shows the architecture of Azure Virtual Desktop (AVD) as it applies to an enterprise organization:

Figure 1 : Architecture of Azure Virtual Desktop

  • The endpoints are in the customer’s on-premises network. ExpressRoute extends the on-premises network into the Azure cloud, and Azure AD Connect integrates the customer’s Active Directory Domain Services (AD DS) with Azure Active Directory (Azure AD).

  • The AVD control plane handles Web Access, Gateway, Broker, Diagnostics, and extensibility components, such as REST APIs.

  • The customer manages AD DS and Azure AD, Azure subscriptions, virtual networks, Azure Files or Azure NetApp Files, and the AVD host pools and workspaces.

In the above architecture, Microsoft manages the following components:

  • The Web Access service allows users to access virtual desktops and remote apps through an HTML5-compatible web browser. You can secure Web Access using multifactor authentication in Azure Active Directory.

  • The Remote Connection Gateway service connects remote users to AVD apps and desktops from any Internet-connected device that can run a AVD client. The client connects to a gateway, which then orchestrates a connection from a VM back to the same gateway.

  • The Connection Broker service manages user connections to virtual desktops and remote apps. The Connection Broker provides load balancing and reconnection to existing sessions.

  • Remote Desktop Diagnostics tracks user or administrator action and administrators can query it to identify failing components.

In the above architecture, customers manage:

  • The Azure Virtual Network, which enables Azure resources like VMs to communicate privately with one another and with the Internet.

  • Azure AD, which supports security features like conditional access, multi-factor authentication, etc.

  • Windows Host pools, which are collections of virtual desktop session hosts running Windows desktops supporting multi-session capabilities.