Azure-Divers

Secure Azure Virtual Desktop deployment with Terraform

Nicolas VACCARO26 septembre 2024

Today we’re going to talk about Azure Virtual Desktop, encryption and security 😊. And, most importantly, we’ll see how to automate all this to save time while complying with Microsoft’s best practices.

Here’s the architecture diagram we’re going to put in place. The idea is simple: create a group of resources that will contain the compute and disk encryption (we’ll use CMK). A Key Vault will store the secrets, rotated every 30 days to guarantee greater security. Another group of resources will be dedicated to configuring Azure Virtual Desktop.

What is CMK – Customer Managed Key?

Customer-managed keys (CMKs) are keys that customers can read, create, delete, update or manage themselves. These keys are stored in a Key Vault or Hardware Security Module (HSM) belonging to the customer. Bring Your Own Key (BYOK) is a scenario in which a customer imports their own keys from an external storage location into an Azure key management service.

For more information, click here: https://learn.microsoft.com/en-us/azure/security/fundamentals/key-management

Terraform Script:

Now that you know a bit more, let’s move on to the Terraform (TF) script, which we’re going to analyse step by step.

First, we’ll create a resource group and a VNet with an address space of 10.0.0.0/16 :

And a subnet :

We’re also going to create an NSG (Network Security Group) which authorises port 443 (HTTPS) to connect to the AVD VM, and associate it with the subnet created previously:

Once this stage is complete, we’ll create our Azure Virtual Desktop.

First, we’re going to create the workspace:

Next, we create the Host Pool :

Tip: I encountered a connection error between my RDWeb desktop and AVD. The solution is to add the following line to custom_rdp_properties: ;targetisaadjoined:i:1;.

Once the host pool has been created, we add a line for registering the virtual machines we are going to create:

The expiration_date is a value that must be entered to authorise the registration of machines in the AVD host pool. It can be found in the appropriate variable.

Next, we’re going to create the DAG (Desktop Application Group), which is where applications can be inserted to make them available in AVD :

Of course, we’re going to link our Workspace to the DAG :

That’s it, the Azure Virtual Desktop part is complete.

We’re now going to create the virtual machines and network interfaces:

Once we’ve created our network interfaces, we’ll create a Key Vault with a random name and the appropriate permissions to create one or more keys and secrets. We’ll also enable soft deletion for 7 days and, finally, encryption, so that the Key Vault can store the disk encryption key and the secrets of the local administrator accounts:

Next, we are going to create a random key with a rotation every 30 days or so:

Finally, we create the disk encryption set :

We’re going to assign the identity of the disk encryption set to the Key Vault so that it can read and write the values.

Once this is done, we create our virtual machines :

Finally, we link our AVD to Azure Active Directory and not to a specific/existing domain. We also associate our VMs with the AVD host pool.

To add a little complexity to our script, we create two groups that will have access rights to the AVD VMs. These groups will be added to the RBAC roles ‘Virtual Machine Administrator Login’ and ‘Virtual Machine User Login’ :