You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/protect-azure-virtual-desktop.md
+4-63Lines changed: 4 additions & 63 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,76 +27,17 @@ To learn more about Azure Virtual Desktop terminology, see [Azure Virtual Deskto
27
27
28
28
## Host pool outbound access to Azure Virtual Desktop
29
29
30
-
The Azure virtual machines you create for Azure Virtual Desktop must have access to several Fully Qualified Domain Names (FQDNs) to function properly. Azure Firewall uses the Azure Virtual Desktop FQDN tag `WindowsVirtualDesktop` to simplify this configuration. You need to create an Azure Firewall Policy and create Rule Collections for Network Rules and Applications Rules. Give the Rule Collection a priority and an *allow* or *deny* action.
31
-
32
-
You need to create an Azure Firewall Policy and create Rule Collections for Network Rules and Applications Rules. Give the Rule Collection a priority and an allow or deny action.
33
-
In order to identify a specific AVD Host Pool as "Source" in the tables below, [IP Group](../firewall/ip-groups.md) can be created to represent it.
34
-
35
-
### Create network rules
36
-
37
-
The following table lists the ***mandatory*** rules to allow outbound access to the control plane and core dependent services. For more information, see [Required FQDNs and endpoints for Azure Virtual Desktop](../virtual-desktop/required-fqdn-endpoint.md).
38
-
39
-
# [Azure cloud](#tab/azure)
40
-
41
-
| Name | Source type | Source | Protocol | Destination ports | Destination type | Destination |
| Rule Name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 443 | FQDN |`login.microsoftonline.com`|
44
-
| Rule Name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 443 | Service Tag |`WindowsVirtualDesktop`, `AzureFrontDoor.Frontend`, `AzureMonitor`|
45
-
| Rule Name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 443 | FQDN |`gcs.prod.monitoring.core.windows.net`|
46
-
| Rule Name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP, UDP | 53 | IP Address |[Address of the DNS server used]|
47
-
| Rule name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 1688 | IP address |`azkms.core.windows.net`|
48
-
| Rule name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 1688 | IP address |`kms.core.windows.net`|
49
-
| Rule name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 443 | FQDN |`mrsglobalsteus2prod.blob.core.windows.net`|
50
-
| Rule name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 443 | FQDN |`wvdportalstorageblob.blob.core.windows.net`|
51
-
| Rule name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 80 | FQDN |`oneocsp.microsoft.com`|
52
-
| Rule name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 80 | FQDN |`www.microsoft.com`|
53
-
54
-
# [Azure for US Government](#tab/azure-for-us-government)
55
-
56
-
| Name | Source type | Source | Protocol | Destination ports | Destination type | Destination |
| Rule Name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 443 | FQDN |`login.microsoftonline.us`|
59
-
| Rule Name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 443 | Service Tag |`WindowsVirtualDesktop`, `AzureMonitor`|
60
-
| Rule Name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 443 | FQDN |`gcs.monitoring.core.usgovcloudapi.net`|
61
-
| Rule Name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP, UDP | 53 | IP Address | * |
62
-
| Rule name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 1688 | IP address |`kms.core.usgovcloudapi.net`|
63
-
| Rule name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 443 | FQDN |`mrsglobalstugviffx.blob.core.usgovcloudapi.net`|
64
-
| Rule name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 443 | FQDN |`wvdportalstorageblob.blob.core.usgovcloudapi.net`|
65
-
| Rule name | IP Address or Group | IP Group, VNet or Subnet IP Address | TCP | 80 | FQDN |`ocsp.msocsp.com`|
30
+
The Azure virtual machines you create for Azure Virtual Desktop must have access to several Fully Qualified Domain Names (FQDNs) to function properly. Azure Firewall uses the Azure Virtual Desktop FQDN tag `WindowsVirtualDesktop` to simplify this configuration. You'll need to create an Azure Firewall Policy and create Rule Collections for Network Rules and Applications Rules. Give the Rule Collection a priority and an *allow* or *deny* action.
66
31
67
-
---
68
-
69
-
> [!NOTE]
70
-
> Some deployments might not need DNS rules. For example, Microsoft Entra Domain Services domain controllers forward DNS queries to Azure DNS at 168.63.129.16.
71
-
72
-
Depending on usage and scenario, **optional** Network rules can be used:
73
-
74
-
| Name | Source type | Source | Protocol | Destination ports | Destination type | Destination |
| Rule Name | IP Address or Group | VNet or Subnet IP Address | Https:443 | FQDN Tag |`WindowsUpdate`, `Windows Diagnostics`, `MicrosoftActiveProtectionService`|
88
-
| Rule Name | IP Address or Group | VNet or Subnet IP Address | Https:443 | FQDN |`*.events.data.microsoft.com`|
89
-
| Rule Name | IP Address or Group | VNet or Subnet IP Address | Https:443 | FQDN |`*.sfx.ms`|
90
-
| Rule Name | IP Address or Group | VNet or Subnet IP Address | Https:443 | FQDN |`*.digicert.com`|
91
-
| Rule Name | IP Address or Group | VNet or Subnet IP Address | Https:443 | FQDN |`*.azure-dns.com`, `*.azure-dns.net`|
32
+
You need to create rules for each of the required FQDNs and endpoints. The list is available at [Required FQDNs and endpoints for Azure Virtual Desktop](../virtual-desktop/required-fqdn-endpoint.md). In order to identify a specific host pool as *Source*, you can create an [IP Group](../firewall/ip-groups.md) with each session host to represent it.
92
33
93
34
> [!IMPORTANT]
94
35
> We recommend that you don't use TLS inspection with Azure Virtual Desktop. For more information, see the [proxy server guidelines](../virtual-desktop/proxy-server-support.md#dont-use-ssl-termination-on-the-proxy-server).
95
36
96
37
## Azure Firewall Policy Sample
97
38
98
-
All the mandatory and optional rules mentioned can be easily deployed in a single Azure Firewall Policy using the template published at [https://github.com/Azure/RDS-Templates/tree/master/AzureFirewallPolicyForAVD](https://github.com/Azure/RDS-Templates/tree/master/AzureFirewallPolicyForAVD).
99
-
Before deploying into production, we recommended reviewing all the Network and Application rules defined, ensure alignment with Azure Virtual Desktop official documentation and security requirements.
39
+
All the mandatory and optional rules mentioned above can be easily deployed in a single Azure Firewall Policy using the template published at [https://github.com/Azure/RDS-Templates/tree/master/AzureFirewallPolicyForAVD](https://github.com/Azure/RDS-Templates/tree/master/AzureFirewallPolicyForAVD).
40
+
Before deploying into production, we recommended reviewing all the network and application rules defined, ensure alignment with Azure Virtual Desktop official documentation and security requirements.
0 commit comments