Plan and Implement a Disaster Recovery Plan for Azure Virtual Desktop

In this section, you’ll learn how to implement a disaster recovery plan.

What Is Disaster Recovery?

Disaster recovery is an organization’s method of regaining access and functionality to its IT infrastructure in a secondary location/region after events like a disaster in the primary region. A variety of disaster recovery (DR) methods can be part of a disaster recovery plan. DR is one aspect of business continuity. Applications/infrastructure must be replicated to a DR region so that they can be made available during a disaster.

To keep your organization’s data safe, you may need to adopt a business continuity and disaster recovery (BCDR) strategy. A sound BCDR strategy keeps your apps and workload up and running during planned and unplanned service or Azure outages.

Azure Virtual Desktop offers BCDR for the Azure Virtual Desktop service to preserve customer metadata during outages. When an outage occurs in a region, the service infrastructure components will fail over to the secondary location and continue functioning as normal. You can still access service-related metadata, and users can still connect to available hosts. End-user connections will stay online as long as the tenant environment or hosts remain accessible.

To make sure users can still connect during a regional outage, you need to replicate their virtual machines (VMs) in a different location. During outages, the primary site fails over to the replicated VMs in the secondary location. Users can continue to access apps from the secondary location without interruption. On top of VM replication, you’ll need to keep user identities accessible at the secondary location. If you’re using profile containers, you’ll also need to replicate them. Finally, make sure your business apps that rely on data in the primary location can fail over with the rest of the data.

To summarize, to keep your users connected during an outage, you’ll need to do the following things in this order:

1. 1.

   Replicate the VMs in a secondary location.

    
2. 2.

   If you’re using profile containers, set up data replication in the secondary location.

    
3. 3.

   Make sure the user identities you set up in the primary location are available in the secondary location.

    
4. 4.

   Make sure any line-of-business applications relying on data in your primary location are failed over to the secondary location. See Figure 10-1.

    

Disaster recovery relies upon the replication of data and the computers in a secondary location not being affected by the disaster. When servers go down because of a natural disaster, equipment failure, or cyberattack, a business needs to recover lost data from a second location where the data is backed up. Ideally, an organization can transfer its computer processing to that remote location as well to continue operations.

Most Azure resources come with the option to set the data replication to another region, so you must plan the disaster recovery during Azure Virtual Desktop implementation so that data replication can be enabled for all required resources during the implementation phase. Different resources are involved in pooled and personal desktops, and planning DR for each type of desktop is different.

Let’s see how we can plan and set up disaster recovery for each type of desktop.

Disaster Recovery for Pooled Desktops

Pool desktops are nonpersistent desktops, and that’s the reason we must use FSLogix to store the profile on a remote file share/storage. Since we already learned about all the pooled desktop concepts, you know that there are multiple resources we create as part of the pooled desktop creation, and you must plan disaster recovery for all the required resources.

The following are the resources of a pooled desktop, and we will see how we can plan DR for each resource (see Figure 10-2):

• Pooled user profile (DFS file share/Azure File Share Storage/Azure NetApp)

• Pooled host pool session host

• Pooled image

• MSIX package storage account

• On-premises connectivity and authentication

Premium storage does not allow for replication, but since premium storage is recommended for production workloads, you can use the FSLogix cloud cache, which will allow you to replicate the user profile to multiple storage accounts in a different region. By doing this you will be able to use the secondary storage account automatically if the primary storage account is not accessible/available. Primary and secondary storage are both dependent on the sequencing in the CCDLocation registry key, and both the storage accounts will be in sync. A CCDLocation overrides a VHDLocation, if they are both set.

The main advantage of using a cloud cache with premium storage is that you will get a high IOPS storage, which is recommended for production workloads; in addition, you will have profile data in two regions, and no manual intervention is required for failover or failback for the user profile in the case of a disaster in the primary region. See Figure 10-9.

In Figure 10-9 you can see that FSLogix is syncing the user profile data to both storage accounts using a cloud cache. Refer to Chapter 6 for more details about the cloud cache.

Azure NetApp also has a disaster recovery option, and you can easily configure replica in a supported cross region. The Azure NetApp Files replication functionality provides data protection through cross-region volume replication. You can asynchronously replicate data from an Azure NetApp Files volume (source) in one region to another Azure NetApp Files volume (destination) in another region. This capability enables you to fail over your critical application in the case of a region-wide outage or disaster. There are certain cross-region replication pairs to which you can replicate a NetApp file volume, so it’s recommended to check the Microsoft site for an updated list of supported cross-region replica pairs.

Another important resource you should consider in a DR plan is your golden image stored in the image gallery. The Azure image gallery has a replication future, which allows you to replicate images to a specific region and use the LRS/ZRS storage accounts to store the replicated image in a secondary region. Refer to Chapter 5 for more details. In the case of a disaster in a primary region, you don’t have to perform any action to fail over the images, and the image copy will be available in the secondary region to create a VM from. See Figure 10-10.

The limitation with image gallery replications is that you can create a limited number of VMs from a replicated image (20 VMs per replicated VM as of December 2021), and if you want to create hundreds of VMs in a replicated region, then you have to consider an alternative to storing an image in another region using the Azure image builder.

A pooled host pool is nonpersistent, and we can store all user profile data to the remote storage. Additionally, you can have pooled hostpool image with all application/configuration ready to deploy, so DR is not really required for a pooled host pool session host but definatly required for user profile storage and operating system image. You can simply create a new session host in the DR region using a pooled image, and it will come up with all the applications, FSLogix configuration inside new session host in DR region that will use the user profile from the fslogix cloud cache secondary location.

If you still want to protect your pooled session host from disaster, then you can use the Azure Recovery Services Vault (ASR) to protect the pooled session host, and you can fail over the session host during the disaster in a primary region. The following are the detailed steps to protect the session host as well as to fail over.

Enabling replication/protection for AVD virtual machines is again a one-time activity at the time of Azure Virtual Desktop creation, but you might want to repeat it if you add additional session hosts of the host pool in your environment. You can automate the additional session host protection by using the PowerShell Az.RecoveryServices module. Follow these steps to protect the AVD session host using ASR:

Adding virtual machines to the recovery service plan is a one-time activity to group multiple protected VMs/session hosts in the recovery plan so that you can fail over all the VMs together.

After the DR, you can fail back the session host to the primary region and protect the VMs again using ASR. When you fail over Azure VMs from one region to another using Azure Site Recovery, the VMs boot up in the secondary region, in an unprotected state. If you want to fail back the VMs to the primary region, do the following tasks:

Disaster Recovery for Personal Desktops

Personal desktops are persistent desktops, which means the user data will be there on the same VM, and the user will be able to log in to the same VM every time. Since the user profile/data will be on the VM itself, you have to protect the VM using ASR. See Figure 10-43.

In the case of a disaster in a primary region, you don’t have to perform any action to fail over the images, and the image copy will be available in the secondary region to create the VM from. See Figure 10-44.

Design a Backup Strategy for Azure Virtual Desktop

A backup is required if you want to retrieve old data or accidentally deleted data. As we discussed earlier, the backup and disaster both are different. Disaster allows you to continue service access during disaster in your primary region, but it will not allow you to retrieve old data in case something goes wrong with the user data. Backups can be taken in the same region using the Azure native service called Azure Backup. You can protect your data by taking backups at regular intervals, via a backup policy. Azure Backup creates recovery points that can be stored in georedundant recovery vaults. See Figure 10-45.

A comprehensive backup strategy is an essential part of an organization’s cyber safety. It can be defined as an administrator’s plan to ensure critical organizational data is backed up and available for restore in the case of a data loss event. A backup strategy, along with a disaster recovery plan, is a better business continuity plan, which allows an organization to recover with zero-to-minimal damage to the business, data, and reputation.

A personal desktop needs to be backed up as users can store data on personal desktop and it should be protected with any backup tool.

For pooled desktops, VMs are not required to be backed up, because user data will be there in the user profile storage, so you have to plan a backup option for the user profile data for pooled desktops.

Configure Backup and Restore for FSLogix User Profiles and Personal Virtual Desktop Infrastructures

You now know why backup is important for Azure Virtual Desktop, so let’s go ahead and see how to configure a backup for a personal desktop and FSLogix user profile (pooled desktop).

Azure backups can be created through the Azure portal. This method provides a browser-based user interface to create and configure Azure backups and all related resources. You can protect your data by taking backups at regular intervals. Azure Backup creates recovery points that can be stored in georedundant recovery vaults.

Restoring a session host/VM is possible from the recovery vault or from the VM page in the Azure portal. You can log in to Azure and go to the session host you want to restore and click the Backup option. You will be able to see the backup status of the session host under the Backup option, and you can see two different restore options. See Figure 10-49.

You can restore a full VM to a specific restore point, you can overwrite the disk, or you can also create new a VM from the restore point you selected under this option. See Figure 10-50.

File recovery allows you to download the executable and run it on the VM where you want to restore data. Once you execute the file, then it will attach the disk to the VM, and you can recover specific files from the backup. See Figure 10-51.

Pooled desktops use FSLogix to store user profile/data to a remote storage, so it is important to take backups of the user profile storage. You can protect the user profile data by taking backups at regular intervals. Azure Backup creates recovery points that can be stored in georedundant recovery vaults.

Azure file share backup is a native, cloud-based backup solution that protects your data in the cloud and eliminates additional maintenance overheads involved in on-premises backup solutions. The Azure Backup service smoothly integrates with Azure File Sync and allows you to centralize your file share data as well as your backups. This simple, reliable, and secure solution enables you to configure protection for your enterprise file shares in a few simple steps with an assurance that you can recover your data in any disaster scenario.

Key Benefits of Azure File Share Backup

Here are the key benefits:

• Zero infrastructure: No deployment is needed to configure protection for your file shares.

• Customized retention: You can configure backups with daily/weekly/monthly/yearly retention according to your requirements.

• Built-in management capabilities: You can schedule backups and specify the desired retention period without the additional overhead of data pruning.

• Instant restore: Azure file share backup uses file share snapshots, so you can select just the files you want to restore instantly.

• Alerting and reporting: You can configure alerts for backup and restore failures and use the reporting solution provided by Azure Backup to get insights on backups across your file shares.

• Protection against accidental deletion of file shares: Azure Backup enables the soft delete feature on a storage account level with a retention period of 14 days. Even if a malicious actor deletes the file share, the file share’s contents and recovery points (snapshots) are retained for a configurable retention period, allowing the successful and complete recovery of source contents and snapshots with no data loss.

• Protection against accidental deletion of snapshots: Azure Backup acquires a lease on the snapshots taken by scheduled/on-demand backup jobs. The lease acts as a lock that adds a layer of protection and secures the snapshots against accidental deletion.

These are the steps to enable user profile storage backup:

1. 1.

   Log in to the Azure portal and go to the user profile storage account and file share. Click the file share name under the file share option.

    
2. 2.

   Go to the backup option on the file share and select an existing vault or create a new vault if you don’t have one. The vault must be in the same region. Also verify the backup policy and backup frequency to proceed. Once you verify everything, then click “Enable backup.” See Figure 10-52.

    

You can restore specific files or all data from the Azure storage account file share backup. Go to the file share and click Backup to restore the full share or file recovery. See Figure 10-53.

Summary

In this chapter, you learned about planning and implementing disaster recovery for Azure Virtual Desktop including pooled and personal desktops. You also learned about the difference between backup and disaster recovery. Backup is also important to protect the user data in same region, so you learned how to back up user profile data for pooled and personal session host VMs.