Azure Virtual Desktop landing zone design guide

This article provides a design-oriented overview of the enterprise-scale landing zone for Azure Virtual Desktop, for architects and technical decision makers. The goal is to help you quickly gain an understanding of the accelerator and how it's designed, allowing you to shorten the time required to complete a successful deployment.

Landing zone concepts

If you understand Azure landing zones, you can skip ahead to the next section. If not, here are some concepts to review before proceeding:

  • Abstractly speaking, a landing zone helps you plan for and design an Azure deployment, by conceptualizing a designated area for placement and integration of resources. There are two types of landing zones:

    • platform landing zone: provides centralized enterprise-scale foundational services for workloads and applications.
    • application landing zone: provides services specific to an application or workload.
  • Concretely, a landing zone can be viewed through two lenses:

    • reference architecture: a specific design that illustrates resource deployment to one or more Azure subscriptions, which meet the requirements of the landing zone.
    • reference implementation: artifacts that deploy Azure resources into the landing zone subscription(s), according to the reference architecture. Many landing zones offer multiple deployment options, but the most common is a ready-made Infrastructure as Code (IaC) template referred to as a landing zone accelerator. Accelerators automate and accelerate the deployment of a reference implementation, using IaC technology such as ARM, Bicep, Terraform, and others.
  • A workload deployed to an application landing zone integrates with and is dependent upon services provided by the platform landing zone. These infrastructure services run workloads such as networking, identity access management, policies, and monitoring. This operational foundation enables migration, modernization, and innovation at enterprise-scale in Azure.

In summary, Azure landing zones provide a destination for cloud workloads, a prescriptive model for managing workload portfolios at scale, and consistency and governance across workload teams.

Reference architecture

The enterprise-scale landing zone for Azure Virtual Desktop is part of the "Desktop virtualization" scenario article series in the Azure Cloud Adoption Framework. The series provides compatibility requirements, design principles, and deployment guidance for the landing zone. They also serve as the reference architecture for an enterprise-scale implementation, ensuring the environment is capable of hosting desktops and any supporting workloads.

Diagram of reference architecture required for Azure Virtual Desktop landing zone implementations.

Design principles

Like other landing zones, the enterprise-scale Azure Virtual Desktop landing zone was designed using a core set of Cloud Adoption Framework design principles and guided by common design areas.

Design areas for the Azure Virtual Desktop landing zone are indicated with letters "A" through "J" in the diagram, to illustrate the hierarchy of resource organization:

Legend Design area Objective
A Enterprise enrollment Proper tenant creation, enrollment, and billing setup are important early steps.
B, G Identity and access management Identity and access management is a primary security boundary in the public cloud. It's the foundation for any secure and fully compliant architecture.
C-H, J Resource organization As cloud adoption scales, considerations for subscription design and management group hierarchy have an impact on governance, operations management, and adoption patterns.
C-H, J Management and monitoring For stable, ongoing operations in the cloud, a management baseline is required to provide visibility, operations compliance, and protect and recover capabilities.
E, F Network topology and connectivity Networking and connectivity decisions are an equally important foundational aspect of any cloud architecture.
G, F, J Business continuity and disaster recovery Automate auditing and enforcement of governance policies.
F, J Security governance and compliance Implement controls and processes to protect your cloud environments.
I Platform automation and DevOps Align the best tools and templates to deploy your landing zones and supporting resources.

Reference implementation

The Azure Virtual Desktop landing zone accelerator deploys resources for an enterprise-scale reference implementation of Azure Virtual Desktop. This implementation is based on the reference architecture discussed in the previous section.



The accelerator deploys resources into the Azure Virtual Desktop landing zone subscriptions identified in the following architecture diagram: AVD LZ Subscription, and AVD Shared Services LZ Subscription.

We strongly recommend deployment of the appropriate Cloud Adoption Framework platform landing zone first, to provide the enterprise-scale foundation services required by the resources deployed by the accelerator. Refer to the baseline deployment prerequisites to review the full set of prerequisites and requirements for the accelerator.

Diagram of reference implementation created by Azure Virtual Desktop landing zone accelerator.

Download a Visio diagram of this architecture

Accelerator overview

The GitHub logo Azure Virtual Desktop landing zone accelerator supports multiple deployment scenarios depending on your requirements. Each deployment scenario supports both greenfield and brownfield deployments, and provides multiple IaC template options:

  • Azure portal UI (ARM template)
  • Azure CLI or Azure PowerShell (Bicep/ARM template)
  • Terraform template

The accelerator uses resource naming automation based on the following recommendations:

Before proceeding with the deployment scenarios, familiarize yourself with the Azure resource naming, tagging, and organization used by the accelerator:

Diagram showing organization and naming of Azure resources deployed by the Azure Virtual Desktop landing zone accelerator.

Download a full-sized image of this diagram

Accelerator deployment

To continue with deployment, choose the following deployment scenario tab that best matches your requirements:

The baseline deployment deploys the Azure Virtual Desktop resources and dependent services that allow you to establish an Azure Virtual Desktop baseline.

This deployment scenario includes the following items:

  • Azure Virtual Desktop resources, including one workspace, two application groups, a scaling plan, a host pool, and session host virtual machines
  • An Azure Files share integrated with your identity service
  • Azure Key Vault for secret, key, and certificate management
  • Optionally, a new Azure Virtual Network with baseline Network Security Groups (NSG), Application Security Groups (ASG), and route tables

When you're ready for deployment, complete the following steps:

  1. Review the get started document for details on prerequisites, planning information, and a discussion on what is deployed.

  2. Optionally, refer to the Custom image build deployment tab to build an updated image for your Azure Virtual Desktop host sessions.

  3. Continue with the baseline deployment steps. If you created a custom Azure Compute Gallery image in the previous step, be sure to select "Compute gallery" for OS image source and select the correct Image on the Session hosts page:

    Screen shot of OS selection field on sessions hosts page in the Azure portal.