Azure Virtual Desktop: The Enterprise Guide to AVD Architecture, Deployment, and Cost Optimization

Why Azure Virtual Desktop Dominates Enterprise VDI

The virtual desktop infrastructure market has undergone a fundamental shift. According to Gartner's 2025 Magic Quadrant for DaaS, Azure Virtual Desktop holds the largest market share among cloud-hosted VDI platforms, driven by three structural advantages: Windows 11 multi-session (exclusive to AVD), zero per-user VDI licensing for Microsoft 365 customers, and native integration with the Microsoft security and management ecosystem.

At EPC Group, our Azure cloud consulting practice has deployed AVD for over 200 enterprise organizations — from 50-user departments to 25,000-user global deployments. The common thread across all successful AVD projects is upfront architecture planning. A poorly designed AVD environment creates performance complaints, cost overruns, and security gaps that are expensive to fix post-deployment.

Key Advantages Over Legacy VDI

• No infrastructure to manage: The AVD control plane (connection broker, gateway, diagnostics, web client) is fully managed by Microsoft at no cost. You only pay for the session host VMs and storage.
• Multi-session Windows 11: Run 8-15 users on a single VM with the full Windows 11 desktop experience. No other VDI platform offers multi-session Windows 11. This reduces VM costs by 60-70% compared to single-session VDI.
• No per-user VDI license: Microsoft 365 E3/E5 includes AVD access rights. Citrix and VMware charge $12-$25/user/month for their management plane alone.
• Native Entra ID and Intune: Session hosts join Entra ID natively, Intune manages device policies, Conditional Access controls who connects from where. No additional identity infrastructure required.
• Teams optimization: AVD redirects Teams audio/video to the local device, providing near-native call quality. This was a major pain point with legacy VDI platforms.

Enterprise AVD Architecture Patterns

Enterprise AVD architecture integrates with your Azure Landing Zone and follows hub-spoke networking. The AVD session hosts reside in a dedicated spoke VNet, peered to the hub for centralized firewall, DNS, and hybrid connectivity.

Enterprise AVD Architecture
┌──────────────────────────────────────────────────────┐
│ Microsoft-Managed Control Plane (no cost)            │
│ ├── Connection Broker                                │
│ ├── Gateway (RDP Shortpath / reverse connect)        │
│ ├── Web Client                                       │
│ └── Diagnostics & Monitoring                         │
└──────────────────────┬───────────────────────────────┘
                       │ HTTPS (443)
┌──────────────────────▼───────────────────────────────┐
│ Hub VNet (Connectivity Subscription)                 │
│ ├── Azure Firewall (outbound filtering)              │
│ ├── VPN / ExpressRoute Gateway (hybrid connectivity) │
│ └── Azure Bastion (admin access)                     │
└──────────────────────┬───────────────────────────────┘
                       │ VNet Peering
┌──────────────────────▼───────────────────────────────┐
│ AVD Spoke VNet                                       │
│ ├── Subnet: Session Hosts (D-series VMs)             │
│ ├── Subnet: Storage (Private Endpoints)              │
│ └── NSG: Restrict inbound to RDP Shortpath only      │
├──────────────────────────────────────────────────────┤
│ Storage                                              │
│ ├── Azure Files Premium (FSLogix profiles)           │
│ ├── Azure NetApp Files (large-scale, <1ms latency)   │
│ └── Private Endpoints (no public access)             │
└──────────────────────────────────────────────────────┘

Host Pool Design and Session Host Sizing

Host pools are the fundamental organizational unit in AVD. Each host pool contains one or more session hosts (VMs) and defines the desktop experience for users assigned to it. Proper host pool segmentation prevents noisy-neighbor issues, simplifies scaling, and enables workload-specific configurations.

Host Pool Types

VM Sizing Recommendations

Session host VM sizing depends on the workload profile, number of concurrent users per VM, and application requirements. EPC Group uses this baseline from 200+ deployments, then validates with Azure Monitor metrics during pilot.

• Task workers (data entry, call center): D2s_v5 (2 vCPU, 8 GB RAM) — 6-8 users/VM
• Knowledge workers (Office, Teams, browser): D4s_v5 (4 vCPU, 16 GB RAM) — 8-12 users/VM
• Power users (Power BI, large Excel, SQL tools): D8s_v5 (8 vCPU, 32 GB RAM) — 4-6 users/VM
• Developers (Visual Studio, Docker, builds): D8s_v5 or D16s_v5 personal desktop — 1 user/VM
• GPU workloads (CAD, 3D, AI): NV36ads_A10_v5 — 1-4 users/VM depending on GPU partitioning

FSLogix Profile Management

FSLogix is the profile management solution for AVD pooled desktops. Instead of copying a user profile to the session host at login (slow, error-prone), FSLogix mounts a virtual hard disk (VHD/VHDX) containing the user's profile from a network share. The profile appears local to the session host, providing fast login times (under 10 seconds) and a consistent experience across sessions.

Storage Options for FSLogix

EPC Group recommends Azure Files Premium for most enterprise deployments. Azure NetApp Files is reserved for very large deployments (5,000+ concurrent users) or workloads requiring sub-millisecond latency. Always use private endpoints for storage — FSLogix traffic should never traverse the public internet.

FSLogix Best Practices

• Profile size limits: Set a maximum profile size (30 GB default). Large profiles slow login and increase storage costs. Redirect large folders (Downloads, desktop files) to OneDrive instead of the profile container.
• Cloud Cache: For multi-region deployments, enable FSLogix Cloud Cache to replicate profiles across two storage accounts. This provides profile availability during regional outages and supports users who travel between regions.
• Office Container: Separate the Office data (Outlook OST, Teams cache, OneDrive cache) into a dedicated Office Container. This isolates Office-specific data from the general profile, enabling independent management and sizing.
• Antivirus exclusions: Add FSLogix VHD/VHDX files, the FSLogix service executable, and the profile container mount paths to your antivirus exclusion list. Scanning these files causes severe login latency (60+ seconds instead of 10 seconds).

Golden Image Management and Updates

The golden image is the base OS image used by all session hosts in a host pool. It contains the Windows 11 multi-session OS, installed applications, FSLogix agent, monitoring agents, and security configurations. Maintaining the golden image is a critical operational process.

• Azure Compute Gallery: Store and version golden images in Azure Compute Gallery. Replicate images across regions for multi-region deployments. Keep the last 3 versions for rollback capability.
• Image Builder: Use Azure Image Builder (or Packer) to automate golden image creation. Define a build pipeline that: starts from the latest Windows 11 multi-session Marketplace image, installs applications via Chocolatey/Winget, applies security hardening (CIS benchmarks), installs FSLogix and monitoring agents, and runs Sysprep.
• Update cadence: Rebuild the golden image monthly (aligned with Patch Tuesday) and deploy to host pools in a rolling update. Drain sessions from old hosts, replace with new hosts from the updated image, validate, then remove old hosts.

Networking and Connectivity

AVD networking requires careful planning for connectivity, security, and performance. The AVD control plane uses reverse connect — session hosts make outbound HTTPS connections to the Microsoft-managed gateway, eliminating the need for inbound ports.

RDP Shortpath

RDP Shortpath is a critical feature that establishes a direct UDP connection between the client and session host, bypassing the Microsoft gateway for the data stream. This reduces latency by 30-50% and improves the user experience for latency-sensitive applications like CAD, video editing, and real-time collaboration. Enable RDP Shortpath for managed networks (direct connectivity) and public networks (STUN/TURN traversal).

Outbound Connectivity Requirements

• AVD service endpoints: Session hosts require outbound HTTPS (443) to Microsoft-managed AVD endpoints. Use service tags (WindowsVirtualDesktop) in Azure Firewall or NSG rules.
• Microsoft 365: Optimize Teams, OneDrive, and SharePoint connectivity by allowing direct access to M365 endpoints (bypass proxy/firewall inspection for "Optimize" category endpoints).
• Windows Update: Route through WSUS or Azure Update Manager. Do not allow session hosts to reach Windows Update directly.
• Azure Monitor: Outbound to Log Analytics workspace for diagnostics, performance monitoring, and AVD Insights.

Security Hardening for Compliance

AVD security is multi-layered: identity, network, host, and data protection. For regulated industries, EPC Group implements defense-in-depth configurations that map to specific compliance controls. Our Azure security practice works closely with our data governance team to ensure AVD environments meet HIPAA, SOC 2, and FedRAMP requirements.

Autoscaling and Cost Optimization

Autoscaling is the single most impactful cost optimization for AVD. Without autoscaling, organizations pay for peak capacity 24/7. With proper autoscaling, session hosts scale up during business hours and drain down to minimum during off-hours, saving 40-60% on compute costs.

AVD Autoscale Configuration

• Ramp-up (6:00-9:00 AM): Start VMs ahead of user demand. Set minimum percentage of hosts to 25%. Load-balancing: breadth-first (spread users across all running VMs).
• Peak hours (9:00 AM-5:00 PM): Run at full capacity. Maximum session limit per host determines when new VMs start. Load-balancing: depth-first (fill VMs to capacity before starting new ones) to maximize density.
• Ramp-down (5:00-7:00 PM): Drain sessions from excess VMs. Send disconnect notifications to users on drain-mode hosts. Minimum percentage of hosts: 10%.
• Off-peak (7:00 PM-6:00 AM): Run minimum hosts only (5-10% of peak). Depth-first load balancing to consolidate users on fewest VMs.

Additional Cost Optimization Strategies

• Reserved Instances: Purchase 1-year or 3-year reservations for baseline VM count (the minimum you always run). Savings: 30-60% compared to pay-as-you-go. Use pay-as-you-go for burst capacity.
• Azure Spot VMs: For non-critical, interruptible workloads (dev/test environments), use Spot VMs at up to 90% discount. Not recommended for production user-facing desktops.
• Ephemeral OS disks: Use ephemeral disks for pooled session hosts. Since the golden image rebuilds monthly and user data lives in FSLogix profiles, there is no need for persistent OS disks. Savings: $15-$30/VM/month on managed disk costs.
• Start VM on Connect: For personal desktops, enable Start VM on Connect. VMs remain deallocated until the user initiates a connection, then start automatically (30-60 second startup time). This eliminates compute costs during non-use periods.

AVD vs. Windows 365 vs. Citrix vs. VMware

Migrating from Citrix or VMware to AVD

EPC Group has migrated over 80 organizations from Citrix Virtual Apps and Desktops or VMware Horizon to Azure Virtual Desktop. The migration follows our structured cloud migration methodology.

1. Assessment (Week 1-2): Inventory current VDI environment — user profiles, applications, GPU requirements, networking, and security policies. Map Citrix/VMware features to AVD equivalents. Identify migration blockers (app compatibility, peripheral redirection, print drivers).
2. Architecture design (Week 3-4): Design AVD host pools, networking, FSLogix storage, and golden image pipeline. Plan Entra ID integration, Conditional Access, and Intune policies. Size VMs based on current utilization data from Citrix Director or Horizon Console.
3. Pilot deployment (Week 5-8): Deploy AVD for 50-100 pilot users. Validate application compatibility, Teams optimization, printing, and performance. Measure user experience metrics (login time, app launch time, latency).
4. Production migration (Week 9-16): Migrate user groups in waves (200-500 users per wave). Run Citrix/VMware and AVD in parallel during migration. Decommission legacy infrastructure after final wave validation.
5. Optimization (Ongoing): Tune autoscaling, right-size VMs, implement Reserved Instances, and configure AVD Insights dashboards for ongoing monitoring.

Partner with EPC Group

EPC Group is a Microsoft Gold Partner with over 200 Azure Virtual Desktop deployments across healthcare, financial services, education, and government. Our Azure cloud consulting team delivers end-to-end AVD solutions — from initial assessment and architecture design through production deployment and ongoing optimization. We specialize in regulated environments where HIPAA, SOC 2, and FedRAMP compliance is non-negotiable.