Krome Cast: Tech-IT-Out
Krome Cast: Tech-IT-Out
KROME CAST: TECH-IT-OUT: Why choose Azure Virtual Desktop?
In this episode of Krome Cast: Tech-it-Out, we discuss Azure Virtual Desktops and how the evolution of the modern desktop environment has greatly improved security and access control for IT teams.
With the increase in hybrid working, deploying an Azure Virtual Desktop environment offers organisations a simple, and effective way to manage and control access to company data and applications securely.
This podcast features Krome’s Commercial Director, Sam Mager, along with Krome's Senior Technical Consultant Paul Carey, sharing their insights on running an Azure Virtual Desktop environment with some key security considerations and why you should consider using AVD for your business.
► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.
► KROME WEBSITE: https://www.krome.co.uk/
► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk
► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.
► KROME WEBSITE: https://www.krome.co.uk/
► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/
► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk
SPEAKERS
Sam Mager, Krome Technologies Commercial Director
Paul Carey, Krome Technologies Senior Technical Consultant
Sam Mager 00:00
Welcome to Krome Cast, Tech-it-Out, I'm Sam Mager, Commercial Director for Krome Technologies, and I'm joined today for the first time, by Mr Paul Carey, Senior Technical Consultant.
Paul Carey 00:10
Thanks for having me, Sam.
Sam Mager 00:11
No problem at all. Today, we're talking about the evolution of the modern desktop, and specifically around AVD, Azure Virtual Desktop, and obviously, that's something that I know you've got a lot of experience, going back to kind of Citrix, and obviously, now people are kind of this migration to AVD. And it'd be great today to, kind of, for you talk our audience through I guess, A- what is it? Let's go through some of the basics. You know, what is a virtual machine? Some of the advantages of AVD over some of the competition and why people we're seeing this migration away from systems like Citrix into AVD, and then I guess some of the more interesting stuff that I've discovered, as we work on this, the fact that we can, now almost have a Windows desktop on any device should you choose to, and I guess there's also some potential security concerns around some of that, but if we're going to, I guess, to rewind all of that, and go in at the beginning, I guess, what is, what is AVD?
Paul Carey 01:12
AVD is Azure Virtual Desktop environment, it's a new environment which Microsoft have released which allows people to connect up to Windows 10 machines within their environment. You use it to connect up to resources that are published to you, in a secure and controlled manner. The desktops are created by IT, the IT department, and they, then applications available to users can be restricted and limited, depending on the users group that they belong to, or depending on user access rights and permissions. Secured, by default, so access is through a hosted Microsoft hosted platform, allowing connections through a web application gateway, which they look after.
Sam Mager 02:04
Okay. How's that different from, you know, again, treat me as a bit of a luddite on this, I know I know a bit, but obviously, no where near in your realm. So we've got kind of a, what we used to have, a fat client environment, and kind of, the access we have around that, with kind of AD and OU's, and all that sort of stuff. Is it a direct replica of that, with Azure? Or is there kind of more to it?
Paul Carey 02:24
So, so it's moving the windows workstations with people's, with users data on them, and applications on them, moving out of their physical environment up into the Azure's cloud environment, the applications will remain the same. They're restricted as to what people have access to, its much more controlled, and it's easier to prevent data loss for virtual desktops.
Sam Mager 02:48
Hang on, that's that's an interesting point, because a lot of things we've talked about, especially in recent podcasts have been around kind of ransomware, and data loss and strong passwords, and all that sort of standard stuff, that we know is important. So it would be good to understand I guess, how by using things like AVD, do we, are we able to enhance that security?
Paul Carey 03:07
So within AVD, you can, you can stop people from extracting data, pulling data out of the connection into the virtual desktop, can stop people accessing USB drives, printers, I guess local file drive,
Sam Mager 03:23
Obviously, it's quite important because the whole point of them, being on the virtual desktop is the work, work from anywhere peace. So obviously, if we've got a machine in an office, there's also the physical control you put over it, but obviously, both the eyes on it, but if I'm working from anywhere, you kind of need that extra layer of security.
Paul Carey 03:41
Yeah, of course. So if you're working from home, then you can plug in any computer, you can plug in your home computer to use it, connect it via that access, across a secure connection, with IT being able to restrict the number of resources that you can pull data through, to get back to your own computer.
Sam Mager 04:00
So just think about that, because obviously, kind of pandemic, all that sort of stuff, we saw a lot of remote work increase exponentially, But BYOD obviously, people using their own devices. What considerations do we have to think about because if somebody is using their own device and obviously, we talked about this kind of off camera, the fact that you could you can use an iPad, you could use your mobile phone, I'm not sure you would want to use a Windows desktop on a mobile phone, but you could. But you know, it's giving people this capability to use that that work desktop, I guess, from anywhere, but are there any considerations around the, I guess the basic system requirements and that sort of stuff to actually make it work properly? Or does it not matter, because we're leveraging the cloud?
Paul Carey 04:47
So yeah, Microsoft implementation helps us remove to get a desktop published to you, there's very many infrastructure servers a lot of the infrastructure management service that is required typically in an RDS environment or the Citrix environment, that are required to get this to work. Microsoft take all that away, and everything is managed by Microsoft. Then there’s using the Microsoft authenticator app or text messages they can send you, conditional based access, which is all inherent into the Microsoft platform, and it's used widely widely throughout many different services, many applications use it that aren't within Azure, so the authentication process,
Sam Mager 05:27
Part of that natural, I guess, Microsoft ecosystem
Paul Carey 05:30
It is, and the benefits of that are well-trodden and well-used by multiple different applications, both within Azure and outside of Azure. The authenticator application is used to secure many different environments.
Sam Mager 05:45
Yeah, obviously, this group is going to assume things like MFA, and that sort of thing to actually access the information.
Paul Carey 05:51
Yeah, so the MFA can comprise in multiple forms within the authentication process, we receive text messages, use the authenticator app on your phone, you've got source IP addresses and access tokens based on if you've accessed, in the past or not, you may or may not get prompted if you're coming from a secure location, depends how you want to configure it. So it's very flexible.
Sam Mager 06:13
I was about to say, and that's all part of the, I guess, the considerations you have to give when you're, when you're designing something like this, and you're configuring something like this for a customer, that's part of the investigation, I guess, it's looking at where people will work, I guess the parameters of that, permission they will need to have, they're all considerations we've got to have from day one.
Paul Carey 06:30
Yeah. So access can be constrained to however you'd like it, there's very little that would get through it, if you configured it in a great way.
Sam Mager 06:41
I guess really important if you've got, I don't know, it could be HR for instance, you don't want to get certain stuff here, but not necessarily over there, all that sort of things, having that that ultimate level of control, and then another thing that I was thinking of, and again, we talked about some of this off camera, and it's quite enlightening, but it kind of made my brain ping if you like, there's just the ease of scalability, you know, we've seen before where we've done obviously, some lots of large scale, I'll, let's call it traditional fat client rollouts. That's quite a bit of literally heavy lifting, and there's obviously a lot of on site infrastructure to support all of that, and it's just I guess, the ease of actually spinning stuff up like AVD, to get that to the multiple users, you know, very rapidly.
Paul Carey 07:24
So it's all infrastructure as code. So you can write and develop at your solution, depending on, have you write the scripts that you can pass up to Azure, machines can be built on the fly almost, additional machines added into a pool as you require. So you typically build up a golden image, put your applications into that, then you place it into a shared image gallery within Azure, and from that you create the workstations that users would connect on to, and workstations can can be Windows 10, server 2016, 2019, as you like, as in a traditional on-premise environment, multiple users could log onto the same Windows 10 enterprise machine, if they wanted to.
Sam Mager 08:09
And I think that was an interesting point we discussed as well, it is, in my head kind of the old VDI world, it was almost like a one to one, this is my virtual desktop, my profile, and actually, with AVD it can be quite different, you can have that shared resource, I guess from a commercial perspective, that makes sense.
Paul Carey 08:27
Yeah. So we reduce the CPU and RAM overheads and the costs that you'd be incurred by using that, and we've got multiple users logging onto the same Windows 10 machine. Yeah,
Sam Mager 08:38
do you have to I guess, do you have to throttle what people can have? Or does it allow you to burst if you get someone doing something particularly resource intensive? Does it allow you to do that? Or how do you manage that?
Paul Carey 08:48
on a per user basis, it's hard to increase CPUs and memory on the fly, but then subsequent connections, it's, we could divert them on to a higher resource machine.
Sam Mager 09:00
So does it allow you to to burst or no Yes, allocate more resources required, or it can find or how do we manage that? And I think actually specifically thinking about, intensive applications where people with CAD design, all that sort of stuff, how do we manage that within AVD?
Paul Carey 09:15
So for users with an intensive applications, we looked at provisioning desktops with a bit more RAM, more CPU more resource more IOP's available to them, and they would have a veteran experience when they when they come to use that then we can dedicate these machines to specific groups of users, depending on the departmental basis, so users would be able to access in with the higher aspect desktop for them, applications installed by IT, CAD's could even be used up there, if you wanted to, them the protocols, RDS protocols strong enough to allow that to pass through
Sam Mager 09:50
Does that mean I mean, again, going back to the just thinking about just seeing the laptops sat over there makes me think, again, we're talking about CAD, and obviously we do this so I'm glad, so really can do, I guess, high intense application, all that sort of stuff, on something as simple as micro PC or an iPad? Is that really feasible?
Paul Carey 10:11
You could do, yeah. So you could run a machine in Azure, with 32 CPUs, half a terabyte RAM, have it connected on your phone, and you still get the same amount of resource within the cloud available to you. It's gonna be impossible to use it on a phone.
Sam Mager 10:25
Yeah, someone will try.
Paul Carey 10:29
But you could use it an iPad, if you want to the iPad Pro, larger screen and you can get keyboard, you can get Bluetooth mouse available for it. So you could theoretically run Microsoft applications within Azure on iOS devices or Android devices.
Sam Mager 10:42
And is it persistent experience, I'm thinking of putting my prior knowledge of things like Citrix, obviously, I could be working on my CAD design, whatever it is on my iPad, on the on the train or home wherever it is, and I come into the office, and I've got exactly the same thing going on.
Paul Carey 10:56
It is dependent on your network connection, internet connection. If you're on a train, you might get lucky. You might be able to use the trains, inbuilt GSM system to connect out 3G, 4G, but yeah typically it wouldnt be great on the train, you'd want to
Sam Mager 11:14
If I lost my connection, I dont know let's say, and then I come into the office, can I log back into that system?
Paul Carey 11:19
You can do, yes. The session is stored, it's on the desktop that you're connected to within Azure, when you come to reconnect to it, everything will be exactly where you left it, and that you'd be able to connect back in and just carry on as you're working.
Sam Mager 11:31
So no excuses. Yeah, of course, I'm just thinking then obviously, you know, we can mention some of our vendors, because people will be aware of the lights of, Citrix and VMware, Horizon, all that sort of stuff. I ask your direct opinion as to why, why would you recommend someone goes for very AVD over the more traditional Citrix etc, etc?
Paul Carey 11:54
So it's AVD, it's a comparable product to Citrix virtual apps and virtual desktop and remote desktop services, VMware View, so it's doing the same function. The management overhead of all the other applications out there, VMware View, Citrix, RDS, they're all taken on, they're all owned by Microsoft's service. So maintaining those servers, maintaining the security around those servers, and services, is controlled by Microsoft. So it's one less thing to worry about.
Sam Mager 12:26
I was about to say, so you kind of you're outsourcing that, it's the same experience, same concept, but without that overhead of managing it internally. So I guess you're freeing up your internal resource to do, let's call it, more interesting things.
Paul Carey 12:40
Yeah. So in the past, maintaining Citrix environments, VMware View environments, we'd be maintaining that management service, more often than the gold image,
Sam Mager 12:50
We've seen some big Citrix environments in the past, and we know that that how intense they can be just to keep the lights on.
Paul Carey 12:56
Yeah, but that moving to AVD, your, your focus more on that, the images, so what you're providing, the gold image, and you're able to spend a lot more time crafting that into such a way that it's, it's a better experience.
Sam Mager 13:09
Let's focus on that, because I think it's, again, an interesting point around kind of how we, is there any difference or not around the packaging part. So obviously, we have to package applications to publish them in AVD, what sort of toolset or tooling do Microsoft give us to do that? Is it any easier than the more traditional route, etc, etc.
Paul Carey 13:28
Yeah, so within, within Microsoft’s environment, you can code everything, everything is done by code they, they love it, it's there is what they want, everyone to use. We can create desktops via PowerShell into Azure, we can have applications installed onto them via PowerShell as well, via multiple methods, it can be group policies, could be Chocolaty repositories, it can come from multiple different areas, SCCM, and you'd use these applications to push applications for users onto the desktop, from here, that you'd create a gold image. You can do all this by all this by code, you create a gold image, the gold image, you can then spawn out into host machines that users connect into.
Sam Mager 14:20
So that's, I guess, the, the ease of the proliferation. So if we have to suddenly push out 100, 1000, etc desktops, It is that easy?
Paul Carey 14:30
Yeah. Users, we can set it up so users log on to a single machine which they control, they can make changes to that machine, they can install their own applications onto it, and they'll, they'll persist each time they log back into it. Typically, most people for most users, they log on to a machine that gets rebooted each night, and all the changes are lost, this is much more controlled configuration, in that fashion. I think IT like it, because users can't go off and destroy things and install software.
Sam Mager 15:02
Yep.
Paul Carey 15:05
Yes. Yeah, much more controlled.
Sam Mager 15:07
Okay. Yeah,
Paul Carey 15:09
Yeah, and another benefit of Windows 10, that Microsoft has just released, or relatively recently released, they, they bought out a company called FSLogix. It's a free product for for use if you have an RDS license or a Microsoft Virtual Desktop license. With this, it controls multiple things. The greatest benefit is the profile container, and an office container where logging on to your virtual machine, all your profile data is redirected to a virtual hard drive, which can be in Azure storage, or it could be on a file server somewhere, an SMB share, benefited this is the users will be able to log on immediately. The, they're not waiting for profile data to be downloaded from the server. The VHD file, the virtual hard drive file containing their profile is mapped straight into the virtual desktop, and any accesses to profile data means the over network connection to the VHD file. So very quick log ons, it's able to persist much more data than in the past and alternative solutions that Citrix and Microsoft have attempted.
Sam Mager 16:22
Yeah. And I guess a much nicer overall user experience.
Paul Carey 16:26
Yeah, and it removes an awful lot of profile bloats that you can get. Users prefer that, in our experience to the massive amounts of log on times that you can see.
Sam Mager 16:40
Yeah, I see. Okay. So I guess, and I will ask the question, because obviously, what we're doing here is we're kind of we're, waxing lyrical about the benefits of AVD, and you know, it's the answer, the panacea to everything. Clear that isn't the case, there is there is still a reason to have a fat client environment, but I guess in your opinion, where is that? Where do you say, you know, what, if you do this, you should definitely be AVD? And potentially, actually, if you're doing that, you should stick with fat client? Or am I completely wrong, and the world should be AVD?
Paul Carey 17:11
It's, the biggest selling point for AVD is security, because it gives you, you're able to control all of your data, and all of your accesses to that data, in a much more controlled manner, than with fat clients, so laptops, desktops, the, if you're, if you want to control access to applications that your business provides AVD will allow that, large desktops they're beneficial for the fatter applications than some applications, which are heavily 3D dependent, but it's not, it's not to say you can't run,
Sam Mager 17:52
Just need an awful lot of resources in the cloud to do it.
Paul Carey 17:55
Yeah.
Sam Mager 17:56
Okay.
Paul Carey 17:57
The, there are benefits to local desktops, where people are roaming about, you might not have an internet connection.
Sam Mager 18:03
So I thought perhaps I think about, I can see that, you know, the way 5G is pushing out and give it another five years, I suspect we'll all be hive mind connected somehow anyway, but you know, the problem of actually not having an internet connection anywhere will probably not be a thing. I guess, at that point, that's probably the death of that kind of that point.
Paul Carey 18:25
Yeah, I could see that yeah.
Sam Mager 18:27
And actually going on that obviously, all being connected one day, but as we are today, I was thinking about, we deal with some very big customers and there's some very big implementations of AVD, essentially that are global, and obviously you have different Azure tenders in different regions, how does, how does that work with AVD?
Paul Carey 18:46
So there's one entry point into Azure Virtual Desktop environment from the internet., that entry point is the same no matter where you are. So you can be in Australia, you're still accessing the same URL to connect in, as you are in the UK. If you access from Australia, you can be directed onto a desktop within Australia or Australian region. If you're accessing from UK, you can access the same URL and be directed to a desktop in the UK, and difference is that obviously, the lower latency to the connection, which gives a better smoother experience for users, but all that is controlled and access controlled and directed to the newest desktop. that's, that's all managed by Microsoft, and we can we can spin up VMs in a region, wherever we like, it's very easy to do that. Just by changing your code that you're passing on to Azure to provision the desktops with, the connections and load balancing across the internet, it's all managed by Microsoft.
Sam Mager 19:44
The big thing I'm taking away from this is simplicity. It all seems to be the fact that we can push a lot this to Microsoft to take care of and actually seems to be very very simple. So kind of I think I know what's going to come back my way, but I'm going to hit you with it anyway, as I often do with the podcasts, is kind of the top three things but I guess, I'll ask you, you know, what are your, in your opinion, kind of the top three reasons why someone should look at AVD?
Paul Carey 20:08
So easy to scale, you can scale out as quickly as you like, as slow as you like, as much as you like, and you can pair off the VMs overnights, and secondly, that way, if not use the power of the monitor as you need to, so scalability is there, security is the second most important one. So you can retain your data and retain access to your data, you can control them as access to this environment in using Microsoft's controls to do that. The third one, IT can really control what people do, and we can control what people have access to, and you can control the user environment experience, a lot better.
Sam Mager 20:46
You can lockdown people like me doing silly things and yeah,
Paul Carey 20:48
Yeah, especially you.
Sam Mager 20:51
Alright, and on that note, I think I'll end it, but thank you Paul, it's been really interesting, and again, I usually learn quite a lot from this podcast but today I think I learnt quite a bit, so thank you.
Paul Carey 21:00
Thank you very much.
Sam Mager 21:02
And thank you for joining us on this edition of Krome Cast. If there's anything you'd like us to cover in future episodes, please do leave that in the comment section, and remember like, comment and share, and join us again on Krome Cast, Tech-it-Out.