- Overview
- Why use Azure Virtual Desktop and Private Link?
- Recommended Resources & Estimated Costs
- Azure Virtual Desktop Setup Instructions
Overview
For security and compliance purposes and for ease of access using one account, Momentive recommends Aptify clients in Momentive Software's hosted Azure solution who require access to the Aptify Desktop client connect using an Azure Virtual Desktop in the client subscription.
This involves setting up an AVD resource, a Virtual Machine, and a private link connection to securely connect the Aptify Desktop client in the client subscription to the SQL Managed Instance in the Momentive Azure environment. The above diagram illustrates this setup.
This page outlines the estimated costs of setting up this connection as well as includes instructions on how to setup the Private Link, the AVD resource, the VM, and the Desktop client. The same instructions can be followed for clients self-hosting in Azure, without the private link requirement.
For clients migrating to Momentive's Azure hosting solution, Momentive staff are available to assist in the process.
Why use Azure Virtual Desktop and Private Link?
Azure Virtual Desktop via Private Link is the recommended solution to host the Aptify Desktop client in Azure for a number of reasons. It behaves similar to the "traditional" Terminal Server, but is much more robust, secure, and simpler to manage.
- It's the easiest method to connect to the Aptify Desktop client
- Users have one login that applies to the AVD client as well as Aptify.
- The AVD client securely deploys the virtualized Desktop client to users machines in a seamless way that behaves as if it was installed locally - users have the Aptify Desktop client in their start menu, and it launches without any need to remote into a fully virtualized environment.
- The Aptify Desktop client can be accessed remotely without requiring a VPN connection or opening any ports (like the RDP ports required in a legacy terminal server environment).
- It simplifies the management process
- There is one centralized place to make Aptify Desktop client updates.
- Aptify Desktop client can be deployed to new users easily by simply pushing the Remote Desktop application or having them download and install.
- Clients can select the number or size of VMs most appropriate to their needs.
- Private Link is the most performant and secure way of running the Aptify Desktop client
- The Private Link connection between the Desktop client and database server is a secure, private connection that only grants access between a client Azure network and the SQL MI database server.
- The Private Link connection is very performant, behaving as if the two systems were on the same network.
- The Private Link connection is used by the Aptify Desktop client, but can also be used by clients needing to access the Aptify or e-business databases for other purposes, such as the MS Fabric data warehouse integration, or custom websites requiring database access.
Recommended Resources & Estimated Costs
All you'll need to host the Desktop Client in your Azure subscription are an Azure Virtual Desktop, a Virtual Network, and Azure Private Link. In almost all cases, a single VM is sufficient to run the Desktop client for all users, with resources scaled appropriately based on number of users. For clients with a significant number of Desktop client users, a single VM (with significant resources) is still usually the appropriate approach. Momentive has found most clients have better stability with AVD with one VM powering the host pools as opposed to multiple, however, multiple can be setup if needed.
The cost of hosting the Aptify Desktop client in an AVD setup varies depending on the number of users requiring Desktop client access and the degree or frequency of their usage (e,g, some users may only need occasional access once a week and use the Aptify Web client otherwise).
Typically, a conservative estimate of the cost is between $250 and $450 a month, although this can be significantly lowered using either 1 or 3 year reserved instances or savings plans for the VDI as mentioned in the below table. The actual cost should tend to be on the lower end of this range.
This table outlines a sample set of resources and the monthly cost for running the Desktop client via an AVD connection. These are calculated using the US East Azure region as of May 2025, prices may vary slightly depending on region.
| Azure Resource | Estimated Monthly Cost | Notes |
| Virtual Network | $5 | All resources within this Vnet will have access to the SQL MI via Private Link, so this Vnet or any paired can be used for non-AVD connections like Microsoft Fabric or custom websites. |
| Azure Private Link | $10 | Establishes connection between client Vnet and Momentive's SQL MI |
| Azure Virtual Desktop (licenses) | $5.50 per user |
Cost is $5.50 per user per month if using Remote App Streaming (as recommended) but is $10 per user per month if full Desktop is required. The client organization may not need to pay this cost depending on the Microsoft 365 license type used by the organization. More information on eligible licenses can be found here: https://azure.microsoft.com/en-us/pricing/details/virtual-desktop/ |
| Azure Virtual Desktop (resource) |
Small $80 |
Appropriate for under 10 users.** |
|
Medium $110 |
Appropriate for 10-25 users.**
Azure Virtual Desktop, Pooled, Scaling Option: 20 Users, 90% Peak concurrency, 5% Off peak concurrency, 220 Usage hours/month, multi-session, medium workload, per user access pricing - Not Applicable, D4a v4 (4 vCPU(s), 16 GB RAM) (Pay as you go), P10 (128 GiB, 500 IOPS) Disks, Premium File Storage |
|
|
Large $240 |
Appropriate for 25-50 users.** Azure Virtual Desktop, Pooled, Scaling Option: 40 Users, 90% Peak concurrency, 5% Off peak concurrency, 220 Usage hours/month, multi-session, medium workload, per user access pricing - Not Applicable, E8ads v6 (8 vCPU(s), 64 GB RAM) (Pay as you go), P10 (128 GiB, 500 IOPS) Disks, Premium File Storage |
**In each user range, the specs support heavy user system usage best at the lower range, and moderate or light at the upper range. For example, the Medium specs are appropriate for heavy Desktop client usage more in the 10-15 range, whereas moderate or light usage could support up to 25.
A sample scenario of 5 Desktop client users, the monthly cost would be about $125. A scenario of 40 users would be closer to $475 a month (assuming in both cases that the Azure Virtual Desktop licenses are not covered by the organization's Microsoft 365 licensing).
Saving Costs with Reserved Instances or Savings Plans
Clients can significantly reduce the cost of the AVD (resource) by locking in either a Reserved Instance or Savings Plan at either a 1 or 3 year term. As of May 2025, Azure discounts these at the following rates:
| Selected Plan and Term | Discount % |
| 1 year Savings Plan | 33% |
| 3 year Savings Plan | 55% |
| 1 year Reserved Instance | 41% |
| 3 year Reserved instance | 62% |
A Reserved Instance offers greater savings, but is more specific to the resource selected, e,g, it may only apply to specific classes of the Virtual Machine selected. Savings Plans offer less of a discount, but apply across compute to any resource eligible.
Momentive recommends waiting for a month or two before locking in any Reserved Instances, to ensure the VM size chosen is the appropriate one.
Azure Virtual Desktop Setup Instructions
This section outlines the steps to setup an Azure Virtual Desktop to run the Aptify Desktop client. As mentioned, for clients migrating to Momentive's Azure hosting solution, Momentive staff are available to assist in the process.
There are 3 parts of the process:
Private Link Setup
Setting up a Private Link between the client tenant and the Momentive SQL MI instance is a quick, two step process. It involves:
- Client creating a private endpoint
- Momentive receiving and approving the client private endpoint request
This will establish direct, secure connectivity from the designed Virtual Network on the client side to the SQL Managed Instance in Momentive's tenant. This means applications like the Desktop client or SSMS in that Vnet will be able to connect to the SQL Server, as well as any other applications that are either in that Vnet or in another Vnet that has been paired or connected to the linked Vnet.
To get started, search for Private Link in the Azure portal to go to the Private Link Center. Select Create private endpoint. Put it in the appropriate Subscription and Resource Group, and name it whatever you'd like. The name will populate the Network Interface Name. Select the Region where your resources are located and click Next.
On the Resource page, change Connection Method to "Connect to an Azure resource by resource ID or alias." Enter the Resource ID that has been provided to you by Momentive. Under Target sub-resource, enter managedInstance. Click Next to go to the Virtual Network page. Select the Virtual Network and Subnet where your AVD Virtual Machine is located, then click Next.
If "Integrate with Private DNS zone" is grayed out, click next, otherwise select Yes. Click Next to go to Tags, and add any tags if your organization uses these. Then click Create. This will create a new endpoint and generate a request in the Momentive Software tenant to approve the connection. Contact your Project Manager or the Cloud team to let them know you have submitted a request.
Once the connection has been approved, you should be able to access the SQL Managed Instance from within any resource in that network.
Note, you will need to map the DNS name of the SQL Managed Instance to the IP address of the Private Endpoint. If you have or may have multiple resources connecting to the SQL MI, you should setup an Azure Private DNS Zone and then link your Virtual Network to the new Private DNS zone.
You'll need to create a DNS entry in your Private DNS Zone to map the FQDN of the SQL MI to the IP address, for example, the DNS name sqlmi-test-production.82131242365353415b.database.windows.net would map to a private IP address found in the Private Endpoint that was created.
A Private DNS Zone is recommended as it is a more maintainable, flexible tool. Other DNS solutions (Private Resolver, Active Directory, etc) can be used as well. However, if this VNet and Private Link is solely being used for the Aptify Desktop client (and maybe SSMS) this can also be accomplished by editing the Hosts file on the Virtual Machine.
Azure Virtual Desktop and Virtual Machine setup
Setting up an Azure Virtual Desktop (AVD) involves creating an AVD pool and all the supporting resources, as well as the underlying Virtual Machine that will be running the Desktop client. This is a basic outline of how all the services interact.
The Azure Virtual Desktop is the tool that will connect users to the underlying applications, be it a full Desktop experience or a streaming RemoteApp. You can have any number of host pools for different reasons connected to the AVD, for the Desktop client purpose we only need one.
The Host Pool is the liaison between all of the other services.
- It is used by the AVD to connect to the underlying applications
- It connects to the Application Group and Workspace to determine which apps and who has permission to access
- It connects to the underlying VMs running the programs and acts as a load balancer
The Application Group ties to a single Host Pool and determines two items- which applications are available, and who has permissions to access these applications. Permissions can be assigned either at the user level or group. Group is usually a more maintainable method of doing so.
Applications fall into two categories, there is a full Session Desktop available, or you can run one or more applications installed on the underlying VM as a streaming RemoteApp, which is Momentive's recommendation for the Aptify Desktop client as it is an easier and more seamless experience.
When running the Aptify Desktop client as a RemoteApp (or other programs) it behaves as if it has been installed on the users local machine, it is virtualized to look like it is running directly there, it installs shortcuts in the users Start Menu, etc.
**Note, as of spring 2025, Microsoft does not permit running both a full Session Desktop and RemoteApp streaming on the same host pool. You can still run multiple programs via RemoteApp.
The Workspaces are not tied to a specific Host Pool and instead tie to as many Application Groups as needed. This simplifies the end user experience, in case they are part of multiple host pools, they will not have separate sections or areas for each different host pool or application.
The Virtual Machines are the underlying VMs used by the Host Pool to run the Aptify Desktop client, as well as any other required applications. They are typically set to use the Windows 11 multi-session Operating System to allow multiple concurrent users.
You can theoretically have any number of VMs that serve as backend pools to the Host Pool, however it's Momentive's experience that most stable configuration is a single Virtual Machine with significant resources if used by a large number of users.
The Host Pool acts as a load balancer between the VMs, but there is a lag in it checking availability of the underlying VMs. If one VM is unresponsive or down, it may think there are no resources available despite the second VM running. In larger environments where you might have 5-20 VMs behind an AVD, this is not an issue, but it does occur if you have just 2 or 3.
For that reason, we recommend just one VM. Instead of say, 3 VMs with 4cpu and 16gb of ram, you are likely to enjoy better stability with a single VM running at 8 or 12 CPUs and 64gb of ram and the cost typically is equal.
Creating our AVD
First, go into the Azure Portal and type "Azure Virtual Desktop" at the searchbar at the top. Click "Create a host pool."
On the first page, select the correct Subscription, Resource Group, and Location. You may name the Host Pool Name whatever you'd like. Change the Preferred App Group Type to RemoteApp as well as the Host Pool Type to Pooled, as each user will be sharing the underlying VM.
You can set "create Session Host Configuration" to No, as we don't really need AVD to scale VMs, and under Max Session limit, set a number higher than the number of users you have as we do not want to trigger AVD attempting to generate more underlying VMs. If you find out the specs on the VM you've created later are insufficient for your number of users, you can always upscale that VM elsewhere. Click next.
The Session Hosts tab will determine which VM you are creating for your AVD. It is possible to create them outside of this wizard, but it is a bit more tricky. Click Yes under Add Virtual Machines to create a new one.
For Resource Group, VM Location, pick the settings that apply to you. For name prefix, select something related to the Aptify Desktop client.
Select "Azure virtual machine" for type.
Under Availability Options, you can select Availability Zones and then which zones (1, 2, 3) that you'd like to apply this VM to. You can also select No Infrastructure Redundancy Required. Availability Zones are the different data centers within a single region, so for example, Azure in US East has a data center in Ashburn, Richmond, and somewhere else. If you have Availability Zones set to 2 or more, if Ashburn loses connectivity, your VM should still work. Note, there is a small charge for Availability Zones.
Under image, select Windows 11 Enterprise multi-session and the latest build version. If you'd like to have Microsoft Office 365 apps pre-installed, you can select that image as well.
For Virtual Machine size, you can start with a standard D2as v5 of 2CPUs and 8gb of ram if you'd like. You can change it now if you'd like to get a bigger VM in place immediately, or it can be changed later.
Under number of VMs, select 1.
We typically leave the next 3 options with their default values, an Standard SSD to run the VM is reasonable performance and 128gb of storage should be sufficient. (This also can be expanded later if needed)
Under Network and Security, you can connect this VM to an existing Virtual Network and Subnet. You can also connect it to an existing Network Security Group if you'd like, create a new one, or set it to None for no connected NSG. NSGs determine port access to the VM. Once everything has been setup, no open ports will be required to access the Desktop client via RemoteApp.
Under Domain to join, you should select Microsoft Entra ID unless you have a specific reason to connect it to an Active Directory. To connect it to an AD, you'll need to have Entra ID sync connected between Azure and your local AD. You can enroll this VM in Intune as well, if your organization uses that.
Under Virtual Machine Administrator Account, create a username and password for the local account. You can disable this later, but this is required to get into the machine initially.
Click Next to proceed to Workspace. Leave "Register Desktop app group" set to no, as we will want to use RemoteApp.
Click Next to go to the Validation stage, and then click Create to generate the Virtual Machine. This will take a few minutes.
If creating the Virtual Machine fails from the AVD Host Pool wizard, try creating a simple VM directly from the VIrtual Machine service as that should give you more error information. If you are new to Azure on a Pay-As-You-Go subscription, the most common issue here is your organization has a default quota of 0 CPUs for Virtual Machines. You will need to submit a ticket to Azure Support requesting a quote increase. Once that's done, return to the Host Pool wizard and try again.
Next, proceed to the Application Group linked to your Host Pool. It is likely setup with the Desktop access as the only application, that is fine, it will be changed once the Aptify Desktop client is installed.
Click on Manage next to Assignments, and add all the Users/Groups that will need access to the Aptify Desktop client. It will create them as standard users with access to the Virtual Machines.
For Administrator access on the VM to install the Desktop client, you can use the Local Administrator account, or you can grant a sysadmin in IT Administrator privileges on that VM. Just go to the underlying Virtual Machine, select Access control (IAM) on the top right and click Add role. You'll want to grant those users Virtual Machine Administrator Login roles.
We now have our Host Pool and Application Group setup most of the way. The last item is to create a Workspace, this will allow users to see their remote applications in the Azure Remote Desktop program. Search "Workspace" in the Azure top bar, and go ahead and Create one if there is not one already. Click Add in the Workspace to add your Application Group to this workspace. You can add multiple Application Groups across Host Pools here if applicable.
To verify this is setup, you'll need to install the Remote Desktop application found here: https://learn.microsoft.com/en-us/previous-versions/remote-desktop-client/connect-windows-cloud-services?tabs=windows-msrdc-msi You'll want to download and install the Windows 64-bit application as shown below. All users will have to do this eventually, unless your IT team can push it out via policy.
Once that's installed, launch the Remote Desktop application. Click Subscribe, and login with your Office365 account. It should load your resources, initially, a Session Desktop. If it says no Resources are available, check the Assignments in your Application Group and ensure it is tied to a Workspace.
We now have everything setup in Azure except for the Desktop RemoteApp Application Group.
Aptify Desktop client setup
Remote into your new Virtual Machine to install the Aptify Desktop client. You can connect by:
- Setting your account as a Virtual Machine Administrator Login on the VM RBAC permissions, and using the Remote Desktop client to launch the Session Desktop
- Temporarily set a public IP address and a NSG that only allows inbound RDP 3389 from your IP address
- If your Azure resources are on a VPN, connect to the VPN and then remote to the private IP address
You'll then want to install the Aptify Desktop client. Follow the instructions on this page:
https://aptifysupport.zendesk.com/hc/en-us/articles/37389110662925-Quick-List-for-Installing-the-Aptify-Desktop-Client and then return to this page. If your Private Link connection has been established and is working, you should be able to login to the Database server using the FQDN of the SQL managed instance. You'll want to login using your Azure AD account, not domain account. (you can of course still login using a SQL account)
Once that's completed, we have one final step to setup the Desktop client as a streaming RemoteApp. Go to the Azure Portal, and go to your Application Group. Remove the SessionDesktop as an Application. (**Note, you may need to create a new Application Group for this)
Then Click Add to add the Aptify Desktop client. You can locate it either by using the Start Menu, or by just identifying the File Path to the Startup.exe program.
Under icon, add the path to your Startup.exe to display the Aptify icon. Click Review and Add.
That should do it. Close your Remote Desktop application, and launch it again. It should refresh your feed, and you should now see the Aptify Desktop client in your feed.
The first time you launch it, the Remote Desktop application will require you to authenticate but that should only occur the first time. Subsequent logins using Azure AD should save MFA authorization for a period of time, so you should not have multiple logins.
Comments
Please sign in to leave a comment.