【Azure】Configuring an AVD Environment for Secure a Application Access

In our previous post, we explored the advantages of using Microsoft Azure Virtual Desktop (AVD) to provide secure remote access to a SAP development environment. Today, we’ll delve into the specifics of configuring an AVD environment specifically tailored for SAP access.

Here’s a breakdown of the key steps involved:

1. Setting Up the AVD Infrastructure:

• Resource Group: Create a resource group in Azure to organize all the resources related to your AVD environment, including virtual machines, storage, and networking.
• Virtual Machine Image: Choose a pre-configured Windows Server image multi-session.

Install the necessary SAP software components on the virtual machine. This may involve SAP GUI, specific modules, and any required libraries or dependencies.

User Profile Management: It’s recommanded that if you would like to deploy roaming user profiles, configure user profile management to ensure a consistent experience for the users accessing the AVD environment. This can be achieved through Azure Active Directory (AAD) or Group Policy.

I created a Image from a Win11 multi-session, version 23H2 and published into Azure compute gallery

• Virtual Machine Size: Select a virtual machine size that caters to the resource demands of your SAP applications. Consider CPU, memory, and disk storage requirements based on the expected workload.
• Virtual Network: Create a dedicated virtual network for your AVD environment to isolate it from your other network and enhance security. Also, I builed the peering to AVD virtual network to where SAP environment created and to where the Microsoft Entra Domain Services located (A.K.A. AADDS) for domain join.

For communicate with SAP subent and Microsoft Entra Domain Services.

• Subnets: Configure separate subnets for the AVD deployment and the jump box (a VM used for initial administrative access). This adds an extra layer of security segmentation.

Virtual network with a dedicated subnet for AVD pool.

2. Creating VM to a Host pool:

• Add virtual machines to a host pool: Create a VM pool for support the AVD connection. This defines the pool of virtual machines that users will connect to. You can configure the desired number of VMs for scalability based on expected access needs.

Based on your requirement when creating a VM.

Choose the right subnet and also input the account for domain join, lastly, create a local admin account.

At least one VM should be on for supporting connections

• Application groups: Create a application group within your AVD deployment. I made SAP application as individual applications with RemoteApp. See more at: Publish applications with RemoteApp in Azure Virtual Desktop — Azure | Microsoft Learn

The application group that I’ve created.

Add applications to this application group. You can always add or manage applications any time later.

Define the application.

Add users or Entra ID group for those you want to have access to this application group.

3. Create a workspace to deployed the desktop or remoteapp:

Go to workspaces and create a new one.

Input the details.

Register application groups that created in host pool.

You may review/edit the outcome once the workspace created.

So the the RemoteApp is now to be connected.

4. Security Considerations:

• Network Security Groups (NSGs): Utilize NSGs to restrict inbound and outbound traffic to the AVD environment. This ensures only authorized connections are allowed, minimizing the attack surface.
• Monitoring and Logging: Enable monitoring and logging for your AVD environment to track user activity and identify any potential security threats.