You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/firewall/protect-windows-virtual-desktop.md
+17-6Lines changed: 17 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.author: victorh
13
13
14
14
Windows Virtual Desktop (WVD) is a desktop and app virtualization service that runs on Azure. When an end user connects to a Windows Virtual Desktop environment, their session is run by a host pool. A host pool is a collection of Azure virtual machines that register to Windows Virtual Desktop as session hosts. These virtual machines run in your virtual network and are subject to the virtual network security controls. They need outbound Internet access to the WVD service to operate properly and might also need outbound Internet access for end users. Azure Firewall can help you lock down your environment and filter outbound traffic.
Follow the guidelines in this article to provide additional protection for your WVD host pool using Azure Firewall.
19
19
@@ -35,28 +35,39 @@ The Azure virtual machines you create for Windows Virtual Desktop must have acce
35
35
36
36
- The set of required storage and service bus accounts for your WVD host pool is deployment specific, so it isn't yet captured in the WindowsVirtualDesktop FQDN tag. You can address this in one of the following ways:
37
37
38
-
- Allow https access from your host pool subnet to *xt.blob.core.windows.net and *eh.servicebus.windows.net. These wildcard FQDNs enable the required access, but are less restrictive.
38
+
- Allow https access from your host pool subnet to *xt.blob.core.windows.net, *eh.servicebus.windows.net and *xt.table.core.windows.net. These wildcard FQDNs enable the required access, but are less restrictive.
39
39
- Use the following log analytics query to list the exact required FQDNs, and then allow them explicitly in your firewall application rules:
40
40
```
41
41
AzureDiagnostics
42
42
| where Category == "AzureFirewallApplicationRule"
43
43
| search "Deny"
44
-
| search "gsm*eh.servicebus.windows.net" or "gsm*xt.blob.core.windows.net"
44
+
| search "gsm*eh.servicebus.windows.net" or "gsm*xt.blob.core.windows.net" or "gsm*xt.table.core.windows.net"
45
45
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort:int " to " FQDN ":" *
46
46
| project TimeGenerated,Protocol,FQDN
47
47
```
48
48
49
49
- Create a network rule collection add the following rules:
50
50
51
-
- Allow DNS – allow traffic from your ADDS private IP address to * for UDP port 53.
52
-
- Allow KMS – allow traffic from your WVD virtual machines to Windows Activation Service TCP port 1688. For more information about the destination IP addresses, see [Windows activation fails in forced tunneling scenario](../virtual-machines/troubleshooting/custom-routes-enable-kms-activation.md#solution).
51
+
- Allow DNS – allow traffic from your ADDS private IP address to * for TCP and UDP ports 53.
52
+
- Allow KMS – allow traffic from your WVD virtual machines to Windows Activation Service TCP port 1688. For more information about the destination IP addresses, see [Windows activation fails in forced tunneling scenario](../virtual-machines/troubleshooting/custom-routes-enable-kms-activation.md#solution).
53
+
54
+
> [!NOTE]
55
+
> Some deployments may not need DNS rules, for example Azure Active Directory Domain controllers forward DNS queries to Azure DNS at 168.63.129.16.
53
56
54
57
## Host pool outbound access to the Internet
55
58
56
-
Depending on your organization needs, you may want to enable secure outbound Internet access for your end users. In cases where the list of allowed destinations is welldefined (for example [Office 365 access](https://docs.microsoft.com/Office365/Enterprise/office-365-ip-web-service)) you can use Azure Firewall application and network rules to configure the required access. This routes end-user traffic directly to the Internet for best performance.
59
+
Depending on your organization needs, you may want to enable secure outbound Internet access for your end users. In cases where the list of allowed destinations is well-defined (for example [Office 365 access](https://docs.microsoft.com/Office365/Enterprise/office-365-ip-web-service)) you can use Azure Firewall application and network rules to configure the required access. This routes end-user traffic directly to the Internet for best performance.
57
60
58
61
If you want to filter outbound user Internet traffic using an existing on-premises secure web gateway, you can configure web browsers or other applications running on the WVD host pool with an explicit proxy configuration. For example, see [How to use Microsoft Edge command-line options to configure proxy settings](https://docs.microsoft.com/deployedge/edge-learnmore-cmdline-options-proxy-settings). These proxy settings only influence your end-user Internet access, allowing the WVD platform outbound traffic directly via Azure Firewall.
59
62
63
+
## Additional considerations
64
+
65
+
You may need to configure additional firewall rules, depending on your requirements:
66
+
67
+
- NTP server access
68
+
By default, virtual machines running Windows connect to time.windows.com over UDP port 123 for time synchronization. Create a network rule to allow this access, or for a time server that you use in your environment.
69
+
70
+
60
71
## Next steps
61
72
62
73
- Learn more about Windows Virtual Desktop: [What is Windows Virtual Desktop?](../virtual-desktop/overview.md)
0 commit comments