diagram and fqdns tag

vhorne · vhorne · commit 6bf0fe6fad6f · 2020-04-24T13:52:15.000-07:00
diff --git a/articles/firewall/fqdn-tags.md b/articles/firewall/fqdn-tags.md
@@ -5,7 +5,7 @@ services: firewall
 author: vhorne
 ms.service: firewall
 ms.topic: article
-ms.date: 04/23/2020
+ms.date: 04/24/2020
 ms.author: victorh
 ---
 
@@ -31,7 +31,7 @@ The following table shows the current FQDN tags you can use. Microsoft maintains
 |App Service Environment (ASE)|Allows outbound access to ASE platform traffic. This tag doesn’t cover customer-specific Storage and SQL endpoints created by ASE. These should be enabled via [Service Endpoints](../virtual-network/tutorial-restrict-network-access-to-resources.md) or added manually.<br><br>For more information about integrating Azure Firewall with ASE, see [Locking down an App Service Environment](../app-service/environment/firewall-integration.md#configuring-azure-firewall-with-your-ase).|
 |Azure Backup|Allows outbound access to the Azure Backup services.|
 |Azure HDInsight|Allows outbound access for HDInsight platform traffic. This tag doesn’t cover customer-specific Storage or SQL traffic from HDInsight. Enable these using [Service Endpoints](../virtual-network/tutorial-restrict-network-access-to-resources.md) or add them manually.|
-|WindowsVirtualDesktop|Allows outbound Windows Virtual Desktop platform traffic.
+|WindowsVirtualDesktop (WVD)|Allows outbound Windows Virtual Desktop platform traffic. This tag doesn’t cover deployment-specific Storage and Service Bus endpoints created by WVD. Additionally, DNS and KMS network rules are required. For more information about integrating Azure Firewall with WVD, see [Use Azure Firewall to protect Window Virtual Desktop deployments](protect-windows-virtual-desktop.md). 
 
 > [!NOTE]
 > When selecting FQDN Tag in an application rule, the protocol:port field must be set to **https**.
diff --git a/articles/firewall/media/protect-windows-virtual-desktop/wvd-architecture-diagram.png b/articles/firewall/media/protect-windows-virtual-desktop/wvd-architecture-diagram.png
diff --git a/articles/firewall/protect-windows-virtual-desktop.md b/articles/firewall/protect-windows-virtual-desktop.md
@@ -13,6 +13,8 @@ ms.author: victorh
 
 Windows Virtual Desktop (WVD) is a desktop and app virtualization service that runs on Azure. When an end user connects to a Windows Virtual Desktop environment, their session is run by a host pool. A host pool is a collection of Azure virtual machines that register to Windows Virtual Desktop as session hosts. These virtual machines run in your virtual network and are subject to the virtual network security controls. They need outbound Internet access to the WVD service to operate properly and might also need outbound Internet access for end users. Azure Firewall can help you lock down your environment and filter outbound traffic.
 
+![Windows Virtual Desktop architrecture](media/protect-windows-virtual-desktop/wvd-architecture-diagram.png)
+
 Follow the guidelines in this article to provide additional protection for your WVD host pool using Azure Firewall.
 
 ## Prerequisites
