πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-140 Domain 1
Domain 1 β€” Module 2 of 12 17%
2 of 28 overall

AZ-140 Study Guide

Domain 1: Plan and Implement an AVD Infrastructure

  • AVD Architecture: The Big Picture Free
  • Network Capacity and Design Free
  • RDP Shortpath, Multipath and QoS Free
  • Private Link and Network Troubleshooting Free
  • Storage Planning for User Data Free
  • File Shares and Azure NetApp Files Free
  • Host Pool Architecture: Personal vs Pooled Free
  • Sizing for Performance and Capacity Free
  • Creating Host Pools and Session Hosts Free
  • Session Host Licensing Free
  • Building Session Host Images Free
  • Image Lifecycle and Compute Gallery Free

Domain 2: Plan and Implement Identity and Security

  • Identity Scenarios for AVD
  • RBAC, Conditional Access and SSO
  • Defending AVD with Microsoft Defender
  • Network Security: NSGs, Firewall, Bastion
  • Threat Protection and Confidential VMs

Domain 3: Plan and Implement User Environments and Apps

  • FSLogix Profile Containers and ODFC
  • FSLogix Cloud Cache and Application Masking
  • AVD Clients: Choose and Deploy
  • User Experience and Session Settings
  • Application Groups and RemoteApp
  • Microsoft 365, Teams and OneDrive on AVD
  • App Attach: Dynamic Application Delivery

Domain 4: Monitor and Maintain an AVD Infrastructure

  • Monitoring AVD with Azure Monitor
  • Autoscaling and Session Management
  • Update Strategy and Backups
  • Disaster Recovery and Multi-Region

AZ-140 Study Guide

Domain 1: Plan and Implement an AVD Infrastructure

  • AVD Architecture: The Big Picture Free
  • Network Capacity and Design Free
  • RDP Shortpath, Multipath and QoS Free
  • Private Link and Network Troubleshooting Free
  • Storage Planning for User Data Free
  • File Shares and Azure NetApp Files Free
  • Host Pool Architecture: Personal vs Pooled Free
  • Sizing for Performance and Capacity Free
  • Creating Host Pools and Session Hosts Free
  • Session Host Licensing Free
  • Building Session Host Images Free
  • Image Lifecycle and Compute Gallery Free

Domain 2: Plan and Implement Identity and Security

  • Identity Scenarios for AVD
  • RBAC, Conditional Access and SSO
  • Defending AVD with Microsoft Defender
  • Network Security: NSGs, Firewall, Bastion
  • Threat Protection and Confidential VMs

Domain 3: Plan and Implement User Environments and Apps

  • FSLogix Profile Containers and ODFC
  • FSLogix Cloud Cache and Application Masking
  • AVD Clients: Choose and Deploy
  • User Experience and Session Settings
  • Application Groups and RemoteApp
  • Microsoft 365, Teams and OneDrive on AVD
  • App Attach: Dynamic Application Delivery

Domain 4: Monitor and Maintain an AVD Infrastructure

  • Monitoring AVD with Azure Monitor
  • Autoscaling and Session Management
  • Update Strategy and Backups
  • Disaster Recovery and Multi-Region
Domain 1: Plan and Implement an AVD Infrastructure Free ⏱ ~13 min read

Network Capacity and Design

Azure Virtual Desktop is a network-heavy service. Every pixel, every keystroke, every mouse movement travels over the network. Get the networking wrong and your users will feel it instantly.

Why networking matters for AVD

β˜• Simple explanation

Imagine streaming a live video call, but instead of just video, you are streaming an entire desktop.

Every click, every window resize, every Teams call β€” it all travels over the network. If the road (network) is too narrow or too bumpy, your users see lag, frozen screens, and dropped connections. AVD networking is about building the right roads: wide enough for the traffic, smooth enough for real-time interaction, and with enough lanes to handle rush hour.

AVD session traffic uses the Remote Desktop Protocol (RDP), which encodes the desktop display, audio, input devices, and redirected peripherals into a single data stream. Network quality directly affects user experience β€” high latency causes input lag, packet loss causes visual artefacts, and insufficient bandwidth causes compression degradation.

Key networking considerations include: bandwidth per user (varies by workload type), round-trip latency (should be under 150ms, ideally under 100ms), DNS resolution for the AVD service endpoints, outbound internet access for the control plane, and VNet design for session host placement.

Bandwidth requirements by workload

Microsoft provides recommended bandwidth per user based on workload type:

Workload TypeExample Use CasesRecommended BandwidthNotes
LightText-based apps, data entry, simple web browsing1.5 Mbps per userBasic Office apps, email
MediumStandard Office suite, web apps, line-of-business apps3 Mbps per userOutlook, Excel, Teams (no video)
HeavyTeams video calls, multimedia, rich web apps5 Mbps per userVideo conferencing, screen sharing
PowerCAD/CAM, video editing, 3D rendering, GPU workloads15+ Mbps per userRequires GPU VMs, high bandwidth

🏒 Raj’s calculation: β€œTerraStack has 2,000 users in the first AVD phase. Most are medium workload (Office + CRM), but 50 are CAD engineers. That is 2,000 x 3 Mbps + 50 x 15 Mbps = 6,750 Mbps β‰ˆ 6.75 Gbps peak. Plus headroom. That is the number I take to Dmitri, the network engineer.”

πŸ’‘ Exam tip: The Experience Estimator

Microsoft provides the Azure Virtual Desktop Experience Estimator tool. It measures round-trip time (RTT) from the user’s location to Azure regions. Use it to determine which Azure region to place session hosts in β€” always choose the region closest to your users with the lowest RTT.

The exam may ask you to recommend a tool for assessing network readiness β€” the Experience Estimator is the answer.

Latency targets

MetricTargetImpact If Exceeded
Round-trip time (RTT)Less than 150ms (ideal: less than 100ms)Input lag, delayed mouse/keyboard response
Packet lossLess than 1%Visual artefacts, audio glitches
JitterLess than 30msInconsistent audio/video quality

🌐 Priya’s challenge: β€œOur team in Tokyo had 280ms RTT to West US 2. The desktops were unusable. We moved their host pool to Japan East β€” RTT dropped to 15ms. Always deploy session hosts close to your users.”

Network architecture for session hosts

Session hosts need connectivity in three directions:

1. Outbound to AVD control plane (required)

Session hosts must reach the AVD service endpoints over HTTPS (TCP 443). These include:

  • *.wvd.microsoft.com β€” control plane services
  • login.microsoftonline.com β€” Entra ID authentication
  • *.servicebus.windows.net β€” session host heartbeat
  • *.prod.warm.ingest.monitor.core.windows.net β€” diagnostics

Key point: The reverse connect transport means session hosts initiate outbound connections to the gateway β€” no inbound ports need to be opened.

2. Outbound to the internet (for users)

Users on session hosts typically need internet access for:

  • Microsoft 365 services (Exchange, SharePoint, OneDrive)
  • Web browsing
  • Line-of-business SaaS applications

Route internet traffic through Azure Firewall, a network virtual appliance (NVA), or a web proxy for security and compliance.

3. Internal connectivity (on-premises and Azure resources)

Session hosts often need to reach:

  • On-premises file servers (via VPN or ExpressRoute)
  • Active Directory domain controllers (if AD DS joined)
  • Application back-ends in other VNets

Use VNet peering, VPN Gateway, or ExpressRoute for this connectivity.

ℹ️ Deep dive: DNS configuration

DNS is critical for AVD. Session hosts need to resolve:

  • AVD service FQDNs β€” use Azure-provided DNS or custom DNS that forwards to Azure DNS (168.63.129.16)
  • AD DS domain controllers β€” if domain-joined, custom DNS pointing to your DCs is required
  • File share FQDNs β€” for FSLogix profile storage

A common mistake is using on-premises DNS servers that cannot resolve Azure private endpoints. If you use Private Link, configure DNS conditional forwarders or Azure Private DNS zones.

VNet design patterns

PatternWhen to UseHow It Works
Single VNetSmall deployments, proof of conceptAll session hosts in one VNet with subnets
Hub-spokeEnterprise, multi-region, on-premises connectivityShared services (firewall, DNS) in hub; session hosts in spoke VNets
Hub-spoke with Azure Virtual WANLarge-scale, multi-region, complex routingManaged hub with automatic routing between spokes

🏒 Raj’s network design: β€œDmitri set up a hub-spoke topology. The hub has Azure Firewall and the VPN Gateway to our Christchurch data centre. Each AVD host pool gets its own spoke VNet peered to the hub. Clean, secure, auditable.”

Subnet sizing

Plan your subnets to accommodate current session hosts plus growth:

Host Pool SizeMinimum SubnetRecommended SubnetIP Addresses
Up to 50 VMs/26/2564 / 128
50-200 VMs/24/23256 / 512
200-500 VMs/23/22512 / 1024
500+ VMs/22 or larger/211024 / 2048

Azure reserves 5 IP addresses per subnet. Always plan for growth β€” changing subnet sizes later requires recreating resources.

Question

What is the recommended RTT target for Azure Virtual Desktop sessions?

Click or press Enter to reveal answer

Answer

Less than 150ms, with an ideal target of less than 100ms. Use the Azure Virtual Desktop Experience Estimator to measure RTT from user locations to Azure regions.

Click to flip back

Question

Why don't session hosts need inbound ports opened for user connections?

Click or press Enter to reveal answer

Answer

AVD uses a reverse connect transport β€” session hosts initiate outbound HTTPS connections to the AVD gateway. The gateway then brokers the user connection over this outbound tunnel. No inbound firewall rules needed.

Click to flip back

Question

How much bandwidth per user does Microsoft recommend for a medium workload (Office + web apps)?

Click or press Enter to reveal answer

Answer

3 Mbps per user. Light workloads need 1.5 Mbps, heavy workloads (Teams video) need 5 Mbps, and power workloads (CAD/GPU) need 15+ Mbps.

Click to flip back

Question

What is the Azure Virtual Desktop Experience Estimator?

Click or press Enter to reveal answer

Answer

A Microsoft tool that measures round-trip time (RTT) from a user's location to Azure regions. Use it to determine the best Azure region for placing session hosts β€” always choose the closest region with the lowest RTT.

Click to flip back

Knowledge Check

Priya's NomadTech team in Singapore reports slow desktop performance. RTT to the host pool in West Europe is 320ms. What should Priya do first?

Knowledge Check

Raj is designing the network for TerraStack's AVD deployment. Session hosts need to connect to on-premises Active Directory domain controllers and reach the AVD control plane. Which network topology should he recommend?

🎬 Video coming soon

Network Capacity and Design


Next up: RDP Shortpath, Multipath and QoS β€” boost performance with UDP-based transport, multi-path resilience, and traffic prioritisation.

← Previous

AVD Architecture: The Big Picture

Next β†’

RDP Shortpath, Multipath and QoS

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.