You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
1. All parts of the connection - initial feed discovery, feed download, and remote session connections for clients and session hosts - use private routes. You need the following private endpoints:
| Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool |
13
+
| Feed download | Microsoft.DesktopVirtualization/workspaces | feed | One per workspace |
14
+
| Initial feed discovery | Microsoft.DesktopVirtualization/workspaces | global |**Only one for all your Azure Virtual Desktop deployments**|
15
+
16
+
1. Feed download and remote session connections for clients and session hosts use private routes, but initial feed discovery uses public routes. You need the following private endpoints. The endpoint for initial feed discovery isn't required.
| Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool |
21
+
| Feed download | Microsoft.DesktopVirtualization/workspaces | feed | One per workspace |
22
+
23
+
1. Only remote session connections for clients and session hosts use private routes, but initial feed discovery and feed download use public routes. You need the following private endpoint(s). Endpoints to workspaces aren't required.
| Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool |
28
+
29
+
1. Both clients and session host VMs use public routes. Private Link isn't used in this scenario.
30
+
31
+
> [!IMPORTANT]
32
+
> - If you create a private endpoint for initial feed discovery, the workspace used for the global sub-resource governs the shared Fully Qualified Domain Name (FQDN), facilitating the initial discovery of feeds across all workspaces. You should create a separate workspace that is only used for this purpose and doesn't have any application groups registered to it. Deleting this workspace will cause all feed discovery processes to stop working.
33
+
>
34
+
> - You can't control access to the workspace used for the initial feed discovery (global sub-resource). If you configure this workspace to only allow private access, the setting is ignored. This workspace is always accessible from public routes.
35
+
>
36
+
> - IP address allocations are subject to change as the demand for IP addresses increases. During capacity expansions, additional addresses are needed for private endpoints. It's important you consider potential address space exhaustion and ensure sufficient headroom for growth. For more information on determining the appropriate network configuration for private endpoints in either a hub or a spoke topology, see [Decision tree for Private Link deployment](/azure/architecture/networking/guide/private-link-hub-spoke-network#decision-tree-for-private-link-deployment).
Copy file name to clipboardExpand all lines: articles/virtual-desktop/private-link-overview.md
+11-27Lines changed: 11 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,39 +13,27 @@ You can use [Azure Private Link](../private-link/private-link-overview.md) with
13
13
14
14
## How does Private Link work with Azure Virtual Desktop?
15
15
16
-
Azure Virtual Desktop has three workflows with three corresponding resource types of private endpoints:
16
+
Azure Virtual Desktop has three workflows with three corresponding resource types to use with private endpoints. These workflows are:
17
17
18
18
1.**Initial feed discovery**: lets the client discover all workspaces assigned to a user. To enable this process, you must create a single private endpoint to the *global* sub-resource to any workspace. However, you can only create one private endpoint in your entire Azure Virtual Desktop deployment. This endpoint creates Domain Name System (DNS) entries and private IP routes for the global fully qualified domain name (FQDN) needed for initial feed discovery. This connection becomes a single, shared route for all clients to use.
19
19
20
20
2.**Feed download**: the client downloads all connection details for a specific user for the workspaces that host their application groups. You create a private endpoint for the *feed* sub-resource for each workspace you want to use with Private Link.
21
21
22
-
3.**Connections to host pools**: every connection to a host pool has two sides - clients and session host virtual machines (VMs). To enable connections, you need to create a private endpoint for the *connection* sub-resource for each host pool you want to use with Private Link.
22
+
3.**Connections to host pools**: every connection to a host pool has two sides - clients and session hosts. You need to create a private endpoint for the *connection* sub-resource for each host pool you want to use with Private Link.
23
23
24
24
The following high-level diagram shows how Private Link securely connects a local client to the Azure Virtual Desktop service. For more detailed information about client connections, see [Client connection sequence](#client-connection-sequence).
25
25
26
26
:::image type="content" source="media/private-link-diagram.png" alt-text="A high-level diagram that shows Private Link connecting a local client to the Azure Virtual Desktop service.":::
27
27
28
28
## Supported scenarios
29
29
30
-
When adding Private Link with Azure Virtual Desktop, you have the following supported scenarios to connect to Azure Virtual Desktop. Each can be enabled or disabled depending on your requirements. You can either share these private endpoints across your network topology or you can isolate your virtual networks so that each has their own private endpoint to the host pool or workspace.
30
+
When adding Private Link with Azure Virtual Desktop, you have the following supported scenarios to connect to Azure Virtual Desktop. Which scenario you choose depends on your requirements. You can either share these private endpoints across your network topology or you can isolate your virtual networks so that each has their own private endpoint to the host pool or workspace.
31
31
32
-
1. Both clients and session host VMs use private routes. You need the following private endpoints:
1. Clients use public routes while session host VMs use private routes. You need the following private endpoints. Endpoints to workspaces aren't required.
| Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool |
45
-
46
-
1. Both clients and session host VMs use public routes. Private Link isn't used in this scenario.
47
-
48
-
For connections to a workspace, except the workspace used for initial feed discovery (global sub-resource), the following table details the outcome of each scenario:
36
+
You configure settings on the relevant Azure Virtual Desktop workspaces and host pools to set public or private access. For connections to a workspace, except the workspace used for initial feed discovery (global sub-resource), the following table details the outcome of each scenario:
49
37
50
38
| Configuration | Outcome |
51
39
|--|--|
@@ -60,20 +48,13 @@ With the [reverse connect transport](network-connectivity.md#reverse-connect-tra
60
48
| Public access **disabled** from all networks | Remote sessions are **denied** when either the client or session host is using a *public* route.<br /><br />Remote sessions are **allowed** when both the client and session host are using a *private* route. |
61
49
| Public access **enabled** for client networks, but **disabled** for session host networks | Remote sessions are **denied** if the session host is using a *public* route, regardless of the route the client is using.<br /><br />Remote sessions are **allowed** as long as the session host is using a *private* route, regardless of the route the client is using. |
62
50
63
-
> [!IMPORTANT]
64
-
> - A private endpoint to the global sub-resource of any workspace controls the shared fully qualified domain name (FQDN) for initial feed discovery. This in turn enables feed discovery for all workspaces. Because the workspace connected to the private endpoint is so important, deleting it will cause all feed discovery processes to stop working. We recommend you create an unused placeholder workspace for the global sub-resource.
65
-
>
66
-
> - You can't control access to the workspace used for the initial feed discovery (global sub-resource). If you configure this workspace to only allow private access, the setting is ignored. This workspace is always accessible from public routes.
67
-
>
68
-
> - If you intend to restrict network ports from either the user client devices or your session host VMs to the private endpoints, you will need to allow traffic across the entire TCP dynamic port range of 1 - 65535 to the private endpoint for the host pool resource using the *connection* sub-resource. The entire TCP dynamic port range is needed because port mapping is used to all global gateways through the single private endpoint IP address corresponding to the *connection* sub-resource. If you restrict ports to the private endpoint, your users may not be able to connect successfully to Azure Virtual Desktop.
69
-
70
51
## Client connection sequence
71
52
72
53
When a user connects to Azure Virtual Desktop over Private Link, and Azure Virtual Desktop is configured to only allow client connections from private routes, the connection sequence is as follows:
73
54
74
55
1. With a supported client, a user subscribes to a workspace. The user's device queries DNS for the address `rdweb.wvd.microsoft.com` (or the corresponding address for other Azure environments).
75
56
76
-
1. Your private DNS zone for **privatelink-global.wvd.microsoft.com** returns the private IP address for the initial feed discovery (global sub-resource).
57
+
1. Your private DNS zone for **privatelink-global.wvd.microsoft.com** returns the private IP address for the initial feed discovery (global sub-resource). If you're not using a private endpoint for initial feed discovery, a public IP address is returned.
77
58
78
59
1. For each workspace in the feed, a DNS query is made for the address `<workspaceId>.privatelink.wvd.microsoft.com`.
79
60
@@ -83,7 +64,10 @@ When a user connects to Azure Virtual Desktop over Private Link, and Azure Virtu
83
64
84
65
1. Your private DNS zone for **privatelink.wvd.microsoft.com** returns the private IP address for the Azure Virtual Desktop gateway service to use for the host pool providing the remote session. Orchestration through the virtual network and the private endpoint uses TCP port 443.
85
66
86
-
1. Following orchestration, the network traffic between the client, Azure Virtual Desktop gateway service, and session host is transferred over to a port in the TCP dynamic port range of 1 - 65535. The entire port range is needed because port mapping is used to all global gateways through the single private endpoint IP address corresponding to the *connection* sub-resource. Azure private networking internally maps these ports to the appropriate gateway that was selected during client orchestration.
67
+
1. Following orchestration, the network traffic between the client, Azure Virtual Desktop gateway service, and session host is transferred over to a port in the TCP dynamic port range of 1 - 65535.
68
+
69
+
> [!IMPORTANT]
70
+
> If you intend to restrict network ports from either the user client devices or your session host VMs to the private endpoints, you will need to allow traffic across the entire TCP dynamic port range of 1 - 65535 to the private endpoint for the host pool resource using the *connection* sub-resource. The entire TCP dynamic port range is needed because Azure private networking internally maps these ports to the appropriate gateway that was selected during client orchestration. If you restrict ports to the private endpoint, your users may not be able to connect to Azure Virtual Desktop.
Copy file name to clipboardExpand all lines: articles/virtual-desktop/private-link-setup.md
+29-25Lines changed: 29 additions & 25 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,12 +32,29 @@ In order to use Private Link with Azure Virtual Desktop, you need the following
32
32
33
33
To use Private Link with Azure Virtual Desktop, you need to re-register the *Microsoft.DesktopVirtualization* resource provider on each subscription you want to use Private Link with Azure Virtual Desktop.
34
34
35
-
> [!IMPORTANT]
36
-
> For Azure for US Government and Azure operated by 21Vianet, you also need to register the feature for each subscription.
35
+
Select the relevant tab for your scenario.
36
+
37
+
# [Azure](#tab/azure)
38
+
39
+
### Re-register the Azure Virtual Desktop resource provider
40
+
41
+
Before you can use Private Link with Azure Virtual Desktop, you need to re-register the *Microsoft.DesktopVirtualization* resource provider. You need to do this for each subscription you want to use for Private Link with Azure Virtual Desktop:
42
+
43
+
1. Sign in to the [Azure portal](https://portal.azure.com).
44
+
45
+
1. In the search bar, enter **Subscriptions** and select the matching service entry.
46
+
47
+
1. Select the name of your subscription, then in the section **Settings**, select **Resource providers**.
48
+
49
+
1. Search for and select **Microsoft.DesktopVirtualization**, then select **Re-register**.
50
+
51
+
1. Verify that the status of *Microsoft.DesktopVirtualization* is **Registered**.
52
+
53
+
# [Azure US Gov and 21Vianet](#tab/us-gov-21vianet)
37
54
38
55
### Register Private Link with Azure Virtual Desktop (Azure for US Government and Azure operated by 21Vianet only)
39
56
40
-
To register the *Azure Virtual Desktop Private Link* feature:
57
+
For Azure for US Government and Azure operated by 21Vianet, first you need to register your Azure subscription for Private Link with Azure Virtual Desktop:
41
58
42
59
1. Sign in to the [Azure portal](https://portal.azure.com).
43
60
@@ -49,9 +66,9 @@ To register the *Azure Virtual Desktop Private Link* feature:
49
66
50
67
1. Select **Azure Virtual Desktop Private Link**, then select **Register**.
51
68
52
-
### Re-register the resource provider
69
+
### Re-register the Azure Virtual Desktop resource provider
53
70
54
-
To re-register the *Microsoft.DesktopVirtualization* resource provider:
71
+
Once you've registered your subscription, you need to re-register the *Microsoft.DesktopVirtualization* resource provider. You need to do this for each subscription you want to use for Private Link with Azure Virtual Desktop:
55
72
56
73
1. Sign in to the [Azure portal](https://portal.azure.com).
57
74
@@ -63,26 +80,13 @@ To re-register the *Microsoft.DesktopVirtualization* resource provider:
63
80
64
81
1. Verify that the status of *Microsoft.DesktopVirtualization* is **Registered**.
65
82
66
-
## Create private endpoints
67
-
68
-
During the setup process, you create private endpoints to the following resources, depending on your scenario.
69
-
70
-
1. Both clients and session host VMs use private routes. You need the following private endpoints:
71
-
72
-
| Purpose | Resource type | Target sub-resource | Endpoint quantity | IP address quantity |
73
-
|--|--|--|--|--|
74
-
| Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool | Four per endpoint |
75
-
| Feed download | Microsoft.DesktopVirtualization/workspaces | feed | One per workspace | Two per endpoint |
76
-
| Initial feed discovery | Microsoft.DesktopVirtualization/workspaces | global |**Only one for all your Azure Virtual Desktop deployments**| One per endpoint |
83
+
---
77
84
78
-
1. Clients use public routes while session host VMs use private routes. You need the following private endpoints. Endpoints to workspaces aren't required.
85
+
## Create private endpoints
79
86
80
-
| Purpose | Resource type | Target sub-resource | Endpoint quantity | IP address quantity |
81
-
|--|--|--|--|--|
82
-
| Connections to host pools | Microsoft.DesktopVirtualization/hostpools | connection | One per host pool | Four per endpoint |
87
+
During the setup process, you need to create private endpoints to the following resources, depending on your scenario.
83
88
84
-
> [!IMPORTANT]
85
-
> IP address allocations are subject to change as the demand for IP addresses increases. During capacity expansions, additional addresses are needed for private endpoints. It's important you consider potential address space exhaustion and ensure sufficient headroom for growth. For more information on determining the appropriate network configuration for private endpoints in either a hub or a spoke topology, see [Decision tree for Private Link deployment](/azure/architecture/networking/guide/private-link-hub-spoke-network#decision-tree-for-private-link-deployment).
@@ -560,7 +564,7 @@ To create a private endpoint for the *global* sub-resource used for the initial
560
564
561
565
1. From the Azure Virtual Desktop overview, select **Workspaces**, then select the name of a workspace you want to use for the global sub-resource.
562
566
563
-
1.*Optional*: Instead, create a placeholder workspace to terminate the global endpoint by following the instructions to [Create a workspace](create-application-group-workspace.md?tabs=portal#create-a-workspace).
567
+
1.*Optional*: Instead, create a placeholder workspace to terminate the global endpoint by following the instructions to [Create a workspace](deploy-azure-virtual-desktop.md?tabs=portal#create-a-workspace).
564
568
565
569
1. From the workspace overview, select **Networking**, then **Private endpoint connections**, and finally **New private endpoint**.
566
570
@@ -603,7 +607,7 @@ To create a private endpoint for the *global* sub-resource used for the initial
603
607
604
608
# [Azure PowerShell](#tab/powershell)
605
609
606
-
1.*Optional*: Create a placeholder workspace to terminate the global endpoint by following the instructions to [Create a workspace](create-application-group-workspace.md?tabs=powershell#create-a-workspace).
610
+
1.*Optional*: Create a placeholder workspace to terminate the global endpoint by following the instructions to [Create a workspace](deploy-azure-virtual-desktop.md?tabs=powershell#create-a-workspace).
607
611
608
612
1. In the same PowerShell session, create a Private Link service connection for the workspace with the global sub-resource by running the following commands. In these examples, the same virtual network and subnet are used.
609
613
@@ -681,7 +685,7 @@ To create a private endpoint for the *global* sub-resource used for the initial
681
685
682
686
# [Azure CLI](#tab/cli)
683
687
684
-
1.*Optional*: Create a placeholder workspace to terminate the global endpoint by following the instructions to [Create a workspace](create-application-group-workspace.md?tabs=cli#create-a-workspace).
688
+
1.*Optional*: Create a placeholder workspace to terminate the global endpoint by following the instructions to [Create a workspace](deploy-azure-virtual-desktop.md?tabs=cli#create-a-workspace).
685
689
686
690
1. In the same CLI session, create a Private Link service connection and the private endpoint for the workspace with the global sub-resource by running the following commands:
0 commit comments