Removed details and added links to source content

Author: RoseHJM

articles/dev-box/concept-dev-box-network-requirements.md

@@ -53,6 +53,22 @@ You can check that your dev boxes can connect to these FQDNs and endpoints by fo
 > [!IMPORTANT] 
 > Microsoft doesn't support dev box deployments where the FQDNs and endpoints listed in this article are blocked.
 
+### Use FQDN tags and service tags for endpoints through Azure Firewall
+
+Managing network security controls for dev boxes can be complex. To simplify configuration, use fully qualified domain name (FQDN) tags and service tags to allow network traffic. 
+
+- **FQDN tags**
+
+   An [FQDN tag](/azure/firewall/fqdn-tags) is a predefined tag in Azure Firewall that represents a group of fully qualified domain names. By using FQDN tags, you can easily create and maintain egress rules for specific services like Windows 365 without manually specifying each domain name. 
+
+  The groupings defined by FQDN tags can overlap. For example, the Windows365 FQDN tag includes AVD endpoints for standard ports, see [reference](/windows-365/enterprise/azure-firewall-windows-365#windows365-tag). 
+
+   Non-Microsoft firewalls don't usually support FQDN tags or service tags. There might be a different term for the same functionality; check your firewall documentation.
+
+- **Service tags**
+
+   A [service tag](/azure/firewall/service-tags) represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. Service tags can be used in both [Network Security Group (NSG)](/azure/virtual-network/network-security-groups-overview) and [Azure Firewall](/azure/firewall/service-tags) rules to restrict outbound network access, and in [User Defined Route (UDR)](/azure/virtual-network/virtual-networks-udr-overview#user-defined) to customize traffic routing behavior.
+
 ## Physical device network connectivity
 Although most of the configuration is for the cloud-based dev box network, end user connectivity occurs from a physical device. Therefore, you must also follow the connectivity guidelines on the physical device network.
 
@@ -67,70 +83,21 @@ Although most of the configuration is for the cloud-based dev box network, end u
 
 The following URLs and ports are required for the provisioning of dev boxes and the Azure Network Connection (ANC) health checks. All endpoints connect over port 443 unless otherwise specified.
 
-| Category                        | Endpoints                      | How to apply                        | More information             |
+| Category                        | Endpoints                      | FQDN tag or Service tag                        | More information             |
 |---------------------------------|--------------------------------|-------------------------------------|------------------------------|
-| **Dev box communication endpoints** | - *.agentmanagement.dc.azure.com<br>- *.cmdagent.trafficmanager.net | Line by line in your firewall rules. | N/A | 
-| **Windows 365 service endpoints** | - *.infra.windows365.microsoft.com<br>- *.cmdagent.trafficmanager.net<br>- UDP connectivity via TURN<br>- TURN connectivity | FQDN tag: *Windows365*<br> or <br>Line by line in your firewall rules. | [Windows 365 network requirements](/windows-365/enterprise/requirements-network?tabs=enterprise%2Cent#windows-365-service). |
-| **Windows 365 Registration endpoints**      | - login.microsoftonline.com<br>- login.live.com<br>- enterpriseregistration.windows.net<br>- global.azure-devices-provisioning.net (443 & 5671 outbound)<br>- hm-iot-in-prod-prap01.azure-devices.net (443 & 5671 outbound)<br>- hm-iot-in-prod-prau01.azure-devices.net (443 & 5671 outbound)<br>- hm-iot-in-prod-preu01.azure-devices.net (443 & 5671 outbound)<br>- hm-iot-in-prod-prna01.azure-devices.net (443 & 5671 outbound)<br>- hm-iot-in-prod-prna02.azure-devices.net (443 & 5671 outbound)<br>- hm-iot-in-2-prod-preu01.azure-devices.net (443 & 5671 outbound)<br>- hm-iot-in-2-prod-prna01.azure-devices.net (443 & 5671 outbound)<br>- hm-iot-in-3-prod-preu01.azure-devices.net (443 & 5671 outbound)<br>- hm-iot-in-3-prod-prna01.azure-devices.net (443 & 5671 outbound) |
-| **Azure Virtual Desktop service endpoints** | - login.microsoftonline.com<br> - *.wvd.microsoft.com<br> - *.prod.warm.ingest.monitor.core.windows.net<br> - catalogartifact.azureedge.net<br> - gcs.prod.monitoring.core.windows.net<br> - azkms.core.windows.net<br> - mrsglobalsteus2prod.blob.core.windows.net<br> - wvdportalstorageblob.blob.core.windows.net<br> - 169.254.169.254<br> - 168.63.129.16<br> - oneocsp.microsoft.com<br> - www.microsoft.com | FQDN tags: *WindowsVirtualDesktop*, *AzureMonitor*, *AzureFrontDoor.Frontend*, *AzureCloud*, *Internet* | [Session host virtual machines](/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure#session-host-virtual-machines). |
-| **Microsoft Entra ID** | FQDNs and endpoints for Microsoft Entra ID can be found under ID 56, 59 and 125 in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). | Add service tag `AzureActiveDirectory` | [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online) |
+| **Dev box communication endpoints** | - *.agentmanagement.dc.azure.com<br>- *.cmdagent.trafficmanager.net | N/A | N/A | 
+| **Windows 365 service endpoints** | - *.infra.windows365.microsoft.com<br>- *.cmdagent.trafficmanager.net<br>- UDP connectivity via TURN<br>- TURN connectivity | FQDN tag: *Windows365* | [Windows 365 network requirements](/windows-365/enterprise/requirements-network?tabs=enterprise%2Cent#windows-365-service). |
+| **Windows 365 Registration endpoints**      | For current W365 registration endpoints, see [Windows 365 service](/windows-365/enterprise/requirements-network?tabs=enterprise%2Cent) |
+| **Azure Virtual Desktop service endpoints** | For current AVD service endpoints, see [Session host virtual machines](/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure#session-host-virtual-machines) | FQDN tags: *WindowsVirtualDesktop*, *AzureMonitor*, *AzureFrontDoor.Frontend*, *AzureCloud*, *Internet* |  |
+| **Microsoft Entra ID** | FQDNs and endpoints for Microsoft Entra ID can be found under ID 56, 59 and 125 in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online). | Service tag: *AzureActiveDirectory* | [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online) |
 | **Microsoft Intune** | For current FQDNs and endpoints for Microsoft Entra ID, see [Intune core service](/mem/intune/fundamentals/intune-endpoints?tabs=north-america#endpoints)| FQDN tag: *MicrosoftIntune* | [Intune endpoints](/mem/intune/fundamentals/intune-endpoints) |
 
-## Use FQDN tags and service tags for endpoints through Azure Firewall
-
-Managing network security controls for dev boxes can be complex. To simplify configuration, use fully qualified domain name (FQDN) tags and service tags to allow network traffic. 
-
-- **FQDN tags**
-
-   An [FQDN tag](/azure/firewall/fqdn-tags) is a predefined tag in Azure Firewall that represents a group of fully qualified domain names. By using FQDN tags, you can easily create and maintain egress rules for specific services like Windows 365 without manually specifying each domain name. 
-
-  The groupings defined by FQDN tags can overlap. For example, the Windows365 FQDN tag includes AVD endpoints for standard ports, see [reference](/windows-365/enterprise/azure-firewall-windows-365#windows365-tag). 
-
-   Non-Microsoft firewalls don't usually support FQDN tags or service tags. There might be a different term for the same functionality; check your firewall documentation.
-
-- **Service tags**
-
-   A [service tag](/azure/virtual-network/service-tags-overview) represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. Service tags can be used in both [Network Security Group (NSG)](/azure/virtual-network/network-security-groups-overview) and [Azure Firewall](/azure/firewall/service-tags) rules to restrict outbound network access, and in [User Defined Route (UDR)](/azure/virtual-network/virtual-networks-udr-overview#user-defined) to customize traffic routing behavior.
-
-The listed FQDNs and endpoints and tags only correspond to Azure Virtual Desktop sites and resources. They don't include FQDNs and endpoints for other services such as Microsoft Entra ID. For service tags for other services, see [Available service tags](/azure/virtual-network/service-tags-overview#available-service-tags).
+The listed FQDNs and endpoints and tags only correspond to the most common resources. They don't include FQDNs and endpoints for all services. For service tags for other services, see [Available service tags](/azure/virtual-network/service-tags-overview#available-service-tags).
 
 Azure Virtual Desktop doesn't have a list of IP address ranges that you can unblock instead of FQDNs to allow network traffic. If you're using a Next Generation Firewall (NGFW), you need to use a dynamic list made for Azure IP addresses to make sure you can connect.
 
 For more information, see [Use Azure Firewall to manage and secure Windows 365 environments](/windows-365/enterprise/azure-firewall-windows-365).
 
-The following table is the list of FQDNs and endpoints your dev boxes need to access. All entries are outbound; you don't need to open inbound ports for dev boxes. 
-
-|Address    |Protocol    |Outbound port    |Purpose    |Service tag|
-|---|---|---|---|---|
-|login.microsoftonline.com    |TCP    |443    |Authentication to Microsoft Online Services |    
-|*.wvd.microsoft.com    |TCP    |443    |Service traffic    |WindowsVirtualDesktop |
-|*.prod.warm.ingest.monitor.core.windows.net    |TCP    |443    |Agent traffic [Diagnostic output](/azure/virtual-desktop/diagnostics-log-analytics) |AzureMonitor |
-|catalogartifact.azureedge.net    |TCP    |443    |Azure Marketplace    |AzureFrontDoor.Frontend|
-|gcs.prod.monitoring.core.windows.net    |TCP    |443    |Agent traffic    |AzureCloud|
-|kms.core.windows.net    |TCP    |1688    |Windows activation    |Internet|
-|azkms.core.windows.net    |TCP    |1688    |Windows activation    |Internet|
-|mrsglobalsteus2prod.blob.core.windows.net    |TCP    |443    |Agent and side-by-side (SXS) stack updates    |AzureCloud|
-|wvdportalstorageblob.blob.core.windows.net    |TCP    |443    |Azure portal support    |AzureCloud|
-|169.254.169.254    |TCP    |80    |[Azure Instance Metadata service endpoint](/azure/virtual-machines/windows/instance-metadata-service)|N/A|
-|168.63.129.16    |TCP    |80    |[Session host health monitoring](/azure/virtual-network/network-security-groups-overview#azure-platform-considerations)|N/A|
-|oneocsp.microsoft.com    |TCP    |80    |Certificates    |N/A|
-|www.microsoft.com    |TCP    |80    |Certificates    |N/A|
-
-The following table lists optional FQDNs and endpoints that your session host virtual machines might also need to access for other services:
-
-|Address    |Protocol    |Outbound port    |Purpose|
-|---|---|---|---|
-|login.windows.net    |TCP    |443    |Sign in to Microsoft Online Services and Microsoft 365|
-|*.events.data.microsoft.com    |TCP    |443    |Telemetry Service|
-|www.msftconnecttest.com    |TCP    |80    |Detects if the session host is connected to the internet|
-|*.prod.do.dsp.mp.microsoft.com    |TCP    |443    |Windows Update|
-|*.sfx.ms    |TCP    |443    |Updates for OneDrive client software|
-|*.digicert.com    |TCP    |80    |Certificate revocation check|
-|*.azure-dns.com    |TCP    |443    |Azure DNS resolution|
-|*.azure-dns.net    |TCP    |443    |Azure DNS resolution|
-
-This list doesn't include FQDNs and endpoints for other services such as Microsoft Entra ID, Office 365, custom DNS providers, or time services. Microsoft Entra FQDNs and endpoints can be found under ID 56, 59 and 125 in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges#microsoft-365-common-and-office-online).
-
 > [!TIP]
 > You must use the wildcard character (*) for FQDNs involving service traffic. For agent traffic, if you prefer not to use a wildcard, here's how to find specific FQDNs to allow:
 > 1.    Ensure your session host virtual machines are registered to a host pool.
@@ -141,7 +108,8 @@ This list doesn't include FQDNs and endpoints for other services such as Microso
 
 Direct connectivity to Azure Virtual Desktop RDP broker service endpoints is critical for remote performance to a dev box. These endpoints affect both connectivity and latency. To align with the Microsoft 365 network connectivity principles, you should categorize these endpoints as *Optimize* endpoints, and use a [Remote Desktop Protocol (RDP) Shortpath](/windows-365/enterprise/rdp-shortpath-public-networks) from your Azure virtual network to those endpoints. RDP Shortpath  can provide another connection path for improved dev box connectivity, especially in suboptimal network conditions.
 
-To make it easier to configure network security controls, use Azure Virtual Desktop service tags to identify those endpoints for direct routing using an Azure Networking User Defined Route (UDR). A UDR results in direct routing between your virtual network and the RDP broker for lowest latency. For more information about Azure Service Tags, see Azure service tags overview.
+To make it easier to configure network security controls, use Azure Virtual Desktop service tags to identify those endpoints for direct routing using an Azure Networking User Defined Route (UDR). A UDR results in direct routing between your virtual network and the RDP broker for lowest latency. 
+
 Changing the network routes of a dev box (at the network layer or at the dev box layer like VPN) might break the connection between the dev box and the Azure Virtual Desktop RDP broker. If so, the end user is disconnected from their dev box until a connection is re-established.
 
 ## DNS requirements
@@ -164,7 +132,7 @@ You can allow dev boxes to connect to on-premises resources through a hybrid con
 
 ## Traffic interception technologies
 
-Some enterprise customers use traffic interception, SSL decryption, deep packet inspection, and other similar technologies for security teams to monitor network traffic. Dev box provisioning might need direct access to the virtual machine. These traffic interception technologies can cause issues with running Azure network connection checks or dev box provisioning. Make sure no network interception is enforced for dev boxes provisioned within Microsoft Dev Box.
+Some enterprise customers use traffic interception, TLS decryption, deep packet inspection, and other similar technologies for security teams to monitor network traffic. Dev box provisioning might need direct access to the virtual machine. These traffic interception technologies can cause issues with running Azure network connection checks or dev box provisioning. Make sure no network interception is enforced for dev boxes provisioned within Microsoft Dev Box.
 
 Traffic interception technologies can exacerbate latency issues. You can use a [Remote Desktop Protocol (RDP) Shortpath](/windows-365/enterprise/rdp-shortpath-public-networks) to help minimize latency issues.
 
@@ -193,9 +161,9 @@ This section covers some common connection and network issues.
 
 - **Logon attempt failed**
 
-  If the dev box user encounters logon problems and sees an error message indicating that the logon attempt failed, ensure you enabled the PKU2U protocol on both the local PC and the session host.
+  If the dev box user encounters sign in problems and sees an error message indicating that the sign in attempt failed, ensure you enabled the PKU2U protocol on both the local PC and the session host.
 
-  For more information about troubleshooting logon errors, see [Troubleshoot connections to Microsoft Entra joined VMs - Windows Desktop client](/azure/virtual-desktop/troubleshoot-azure-ad-connections#the-logon-attempt-failed).
+  For more information about troubleshooting sign in errors, see [Troubleshoot connections to Microsoft Entra joined VMs - Windows Desktop client](/azure/virtual-desktop/troubleshoot-azure-ad-connections#the-logon-attempt-failed).
 
 - **Group policy issues in hybrid environments**
 
@@ -205,13 +173,13 @@ This section covers some common connection and network issues.
 
 ### IPv6 addressing issues
 
-If you're experiencing IPv6 issues, check that the *Microsoft.AzureActiveDirectory* service endpoint is not enabled on the virtual network or subnet. This service endpoint converts the IPv4 to IPv6.
+If you're experiencing IPv6 issues, check that the *Microsoft.AzureActiveDirectory* service endpoint isn't enabled on the virtual network or subnet. This service endpoint converts the IPv4 to IPv6.
 
 For more information, see [Virtual Network service endpoints](/azure/virtual-network/virtual-network-service-endpoints-overview).
 
 ### Updating dev box definition image issues
 
-When you update the image used in a dev box definition, you must ensure that you have sufficient IP addresses available in your virtual network. Additional free IP addresses are necessary for the Azure Network connection health check. If the health check fails the dev box definition will not update. You need 1 additional IP address per dev box, and two IP addresses for the health check and Dev Box infrastructure.
+When you update the image used in a dev box definition, you must ensure that you have sufficient IP addresses available in your virtual network. More free IP addresses are necessary for the Azure Network connection health check. If the health check fails the dev box definition won't update. You need one additional IP address per dev box, and two IP addresses for the health check and Dev Box infrastructure.
 
 For more information about updating dev box definition images, see [Update a dev box definition](how-to-manage-dev-box-definitions.md#update-a-dev-box-definition).