Microsoft is expanding their offerings for Azure Virtual Desktop (AVD) with the option to deploy AVD on your own on-prem infrastructure. This isn’t completely new, since Azure Local already made this possible, but it required specific hardware. With this new approach, those hardware requirements are gone. You can now run AVD on almost any host, as long as the Session Host is Azure ARC enabled.
Extra controls for Data Dovereignty
With AVD becoming available an basically any hypervisor of your liking it provides a strong option for organizations that need to keep tight control over their data. In times where data sovereignty is becoming more important, being able to run AVD locally while still benefiting from the Azure control plane is a big advantage.
You control and are responsible for the provisioning process, while you lose on Cloud Native advantages, you win on data souvernity.
The authentication and brokering layer
I’ve been working in the VDI space for a long time, and one of its biggest selling points, regardless of the product or vendor, is remote access without the need for a VPN.
While that sounds great, it also introduces one of the biggest challenges for organizations using these solutions. The frontend is critical, you need to stay on your edge, and you have to patch (very) quickly whenever a security update is released. After all, this is now the main entry point into your environment.
And in reality, many companies still use their VPN anyway, for different workloads. This means they end up with two different solutions providing remote access, and both need to be maintained. (Often by two different teams.)
With this new deployment option for Azure Virtual Desktop, you can also make use of Microsoft’s public gateway, which integrates directly with your Conditional Access setup. You do not need to maintain the frontend yourself, Microsoft handles it for you, giving you more peace of mind.
The high level Architecture
I’ve created a small architecture overview to give you a better understanding of the components involved and the required setup. This approach allows you to leverage the benefits of Microsoft Entra ID for secure authentication, while still taking advantage of all Azure Virtual Desktop management capabilities and the familiar VDI experience.
The Microsoft managed gateway brokers your session and will land the user on the the on-prem session host using the CloudDeviceExtention which can be installed once your VM is Arc enabled. No special network connectivity required as long as the AVD endpoints are reachable.
Your session hosts remain on premises, inside your trustworthy network, close to that one legacy application that simply cannot move to the cloud because of latency requirements or architectural limitations.
Who is this for?
So, is this the right solution for you? In most cases, I still believe that a fully cloud native approach with Azure Virtual Desktop or Windows 365 is the better long term strategy. But the reality is that many organizations still struggle to move everything to the cloud at once.
AVD Hybrid creates an interesting middle ground, allowing you to modernize parts of your infrastructure while keeping latency sensitive workloads on premises. Most importantly, it moves the most complex part of traditional VDI, the management and control layer, into Microsoft’s cloud platform.
This can be especially interesting if:
- You want to modernize gradually instead of doing a complete migration at once, you can just use your existing session hosts without redeployment.
- You want to get rid of that expensive VDI platform but cannot move the cloud and Microsoft RDS is not what you want.
- Your applications are latency sensitive and do not perform well when fully hosted in the cloud
Comparison matrix
So let’s put the solutions side by side, this comparison matrix should show you all the information that you need. One important point to note is operational complexity. While AVD Hybrid significantly simplifies the management layer by moving the control plane into Azure, you still remain responsible for provisioning and maintaining the virtual machines, within your own infrastructure.
| Feature | Windows 365 | AVD | AVD Hybrid (NEW) | Traditional VDI |
|---|---|---|---|---|
| Host Location | Azure Only | Azure Only | On-Premise, Arc enable servers | On-Premise |
| Control Plane | Microsoft Managed | Microsoft Managed | Microsoft Managed + Partner integrations | Customer Managed |
| Connection Gateway | Microsoft Managed | Microsoft Managed | Microsoft Managed | Customer Managed |
| Microsoft Conditional Access | Native Integration | Native Integration | Native Integration | None, Limited or Custom |
| Infrastructure Management | Azure Based | Azure Based | Customer Managed, Azure Control | Customer Managed |
| Hardware Requirements | Azure Only | Azure Only | Customer Managed, Arc enable servers | Vendor specific |
| Scalability | Very High, automated | High, requires specialized setup | Depending on own hardware and automation | Depending on own hardware and vendor |
| Data Residency | Azure Only | Azure Only | On-prem, local! | On-prem, local! |
| Security Responsibility | Microsoft Heavy | Shared, Microsoft Heavy | Microsoft for frontend. + Customer Heavy. | Customer Heavy |
| External Access | Microsoft managed gateway | Microsoft managed gateway | Microsoft managed gateway | Customer managed gateway or VPN |
| Operational Complexity | Low | Medium | High | Very High |
Supported operating systems and deployment methods.
AVD Hybrid brings AVD Remote Desktop and Remote App capabilities to virtually any hypervisor platform. Microsoft limits support to the guest operating system and the installed extensions used to facilitate this connection. Using AVD Hybrid in combination with Azure, or third party public cloud providers such as Google Cloud or AWS are not supported. You can also only deploy standard AVD host pools. AVD Hybrid currently does not support Session Host Configuration.
When looking at deployment methods, both Microsoft Entra hybrid joined and fully cloud native deployments are supported. You can use AVD Hybrid with Windows Server either on physical hardware or inside virtual machines. For Windows 11 Enterprise, only virtual machines are supported, physical Windows 11 endpoints are not supported as session hosts.
This bring us to the elephant in the room.
Now that we have covered what is and is not supported, you may have noticed that one important thing is missing, Windows 11 multisession.
While AVD Hybrid can still provide a multisession experience by using Windows Server together with RDS CALs, one of the major reasons companies move to Azure Virtual Desktop is the availability of Windows 11 Enterprise multisession. That OS versions remains exclusive to Microsoft Azure, like it always was.
Licensing model
The service is currently in public preview, but Microsoft has not yet shared many details around licensing. I expect more information to become available as the service transitions into General Availability.
How to deploy this?
I’ll cover the deployment process in a separate blog post, but during the early public preview phase deployment is currently only possible through PowerShell. You first need to onboard your virtual machines into Azure Arc and then run a script to install the CloudDeviceExtension while providing the Host Pool registration token. After that your host will show up in AVD and will become available to connect to using the Windows app.
What do you think?
I’m curious to hear your thoughts. With the customers I speak to, this is consistently a hot topic. I know there will be comments about the lack of Windows 11 multisession support, but I don’t think that is a deal breaker. Azure Virtual Desktop on Azure still provides Windows 11 multisession and remains the preferred deployment model for those scenarios.
Leave a Reply