Deploy an enterprise-scale Azure landing zone for Azure Virtual Desktop

This guide explains how to deploy Azure Virtual Desktop at enterprise scale. It describes how to use the application landing zone accelerator for Azure Virtual Desktop to shorten deployment time and apply enterprise governance, security, networking, and automation patterns. Follow this guidance to standardize deployments, enforce compliance controls, and scale AVD across regions with predictable operations.

What you'll accomplish:

• Set up enterprise-scale governance and security controls
• Deploy the Azure Virtual Desktop accelerator with best practices built-in
• Configure multi-region expansion for global users (optional)
• Implement automated deployment pipelines

New to enterprise-scale Azure landing zone? Start with the enterprise-scale Azure landing zone overview to understand the foundational concepts before proceeding with Azure Virtual Desktop deployment.

Download a Visio file of this multi-region architecture of an Azure Virtual Desktop deployment in an enterprise-scale Azure landing zone.

Establish a scalable and compliant enterprise-scale Azure landing zone

An enterprise-scale Azure landing zone ensures consistent governance, security, and operational readiness across Azure environments. Complete this foundation before deploying Azure Virtual Desktop to ensure security and compliance requirements are met.

1. Deploy the enterprise-scale Azure landing zone. This deployment includes identity, network, management, and security configurations that support scalable workloads. Use the step-by-step deployment guide to configure your environment.

2. Review implementation guidance to align with enterprise-scale Azure landing zone architecture. This step ensures that your deployment follows best practices for modularity, scalability, and compliance. See the enterprise-scale implementation best practices.

Deploy the application landing zone accelerator for Azure Virtual Desktop

The application landing zone accelerator for Azure Virtual Desktop provides Infrastructure as Code templates that implement enterprise-scale best practices, reducing deployment time and ensuring consistency across environments.

1. Use the application landing zone accelerator to deploy baseline Azure Virtual Desktop resources. The accelerator includes proven Bicep and ARM templates for virtual networks, storage, and virtual machines. Access the Azure Virtual Desktop accelerator on GitHub and review the deployment prerequisites before starting.

2. Customize the accelerator to meet organizational requirements. Modify environmental variables and deployment parameters to reflect your identity, network, and compliance needs. This flexibility supports diverse enterprise scenarios while maintaining security standards.

3. Integrate with CI/CD pipelines for automated deployments. Automate your Azure Virtual Desktop deployments using PowerShell or Azure CLI. Explore the accelerator's Bicep automation examples or deploy through the Azure portal for initial testing and validation.

4. Deploy custom images to standardize virtual machine configurations. Create consistent virtual machine images with your required software, security configurations, and organizational policies. Store these images in Azure Compute Gallery to reduce deployment time and ensure compliance across all session hosts.

Expand Azure Virtual Desktop across regions

Growing globally or need more capacity? Regional expansion provides scalability, improves performance for distributed users, and supports business continuity. Choose the expansion scenario that fits your needs:

Scenario 1: Scale beyond capacity limits - Add regions when your primary region reaches resource limits Scenario 2: Improve user proximity - Deploy closer to users for better performance and local connectivity

Expand due to capacity limitations

A secondary region helps organizations scale Azure Virtual Desktop when the primary region reaches capacity limits.

1. Deploy a new virtual network with non-overlapping IP address space. This configuration prevents routing conflicts and ensures clean peering between regions. Use CIDR blocks that don't overlap with existing virtual networks in the primary region.

2. Connect the new region to the primary region using global VNet peering with gateway transit enabled. Gateway transit allows the new region to access shared on-premises resources through VPN or ExpressRoute. This setup supports centralized connectivity and avoids duplicating network infrastructure.

3. Provision regional storage for user profiles. Deploy a storage solution in the new region to store FSLogix profile containers. Ensure that users are assigned to desktops in only one region to avoid profile fragmentation across storage systems.

4. (Optional) Deploy a Domain Controller in the new region. This deployment improves authentication performance and supports local identity resolution. Consider replicating Active Directory services if latency or availability is a concern.

5. Configure outbound internet connectivity in the new region. Use Network Security Groups (NSGs), Network Virtual Appliances (NVAs), or Azure Firewall to enforce security policies and control traffic flow.

6. Deploy Azure Virtual Desktop virtual machines in the new region. Use the application landing zone accelerator for Azure Virtual Desktop to deploy session hosts and supporting infrastructure. Validate that all dependencies are available in the new region.

7. Assign users to desktops in only one region. This single assignment ensures consistent access to their profile data and avoids conflicts caused by multiple profile instances across regions.

Expand to support regional user proximity

Deploying Azure Virtual Desktop closer to users and on-premises systems improves performance and reduces latency.

1. Deploy a new virtual network with non-overlapping IP address space. This configuration ensures clean routing and avoids IP conflicts with existing networks in other regions or on-premises.

2. Connect the new region to the local on-premises datacenter using VPN or ExpressRoute with private peering. This setup enables users to access regional applications and services hosted in nearby datacenters. Use ExpressRoute for higher reliability and performance; see configure ExpressRoute private peering for details.

3. Provision regional storage for user profiles. Store FSLogix profile containers in the same region as the session hosts to reduce latency and improve sign-in performance. Avoid cross-region profile access.

4. (Optional) Deploy a Domain Controller in the new region. This setup supports local authentication and reduces dependency on cross-region identity services.

5. Configure outbound internet connectivity in the new region. Use NSGs, NVAs, or Azure Firewall to enforce consistent security policies and manage internet-bound traffic.

6. Deploy Azure Virtual Desktop virtual machines in the new region. Use the application landing zone accelerator for Azure Virtual Desktop to deploy session hosts and supporting infrastructure. Validate that regional dependencies are available.

7. Assign users to desktops in only one region. This setup prevents profile duplication and ensures consistent user experience. Profiles are region-specific and must not be shared across regions.

Continue your Azure Virtual Desktop journey

Maximize your Azure Virtual Desktop deployment with these essential design guidelines. Each area provides specific guidance to optimize your implementation:

Core design areas:

• 🏢 Enterprise enrollment - Optimize subscription and billing management
• 🔐 Identity and access management - Secure user authentication and authorization
• 🌐 Network topology and connectivity - Design resilient network patterns
• 📋 Resource organization - Implement effective resource grouping and tagging
• 📊 Management and monitoring - Set up comprehensive operational management
• 🔄 Business continuity and disaster recovery - Protect with backup and recovery strategies
• 🛡️ Security governance and compliance - Enforce security controls and meet compliance requirements
• ⚙️ Platform automation and DevOps - Streamline automation and deployment pipelines

Azure tools and resources

Essential deployment tools:

Next steps

Ready to secure and manage your Azure Virtual Desktop environment? Start with identity and access management to establish authentication patterns and security controls.