Host Pool Outbound Access to Azure Virtual Desktop
The Azure virtual machines you build for Azure Virtual Desktop must have access to several fully qualified domain names (FQDNs) to function properly. Azure Firewall provides an Azure Virtual Desktop FQDN tag to simplify this configuration. Use the following steps to allow outbound Azure Virtual Desktop platform traffic:
\ 1.\ Deploy an Azure Firewall and configure your Azure Virtual Desktop host pool subnet user-defined route (UDR) to route all traffic via the Azure Firewall. Your default route now points to the firewall.
\ 2.\ Create an application rule collection and add a rule to enable the WindowsVirtualDesktop FQDN tag. The source IP address range is the host pool virtual network, the protocol is HTTPS, and the destination is WindowsVirtualDesktop.
\ 3.\ The set of required storage and service bus that accounts for your Azure Virtual Desktop host pool is deployment specific, so it isn’t yet captured in the WindowsVirtualDesktop FQDN tag. You can address this in one of the following ways:
\a.\ Allow HTTPS access from your host pool subnet to *xt.blob.core. windows.net, *eh. servicebus.windows.net, and *xt.table.core. windows.net. These wildcard FQDNs enable the required access but are less restrictive.
\b.\ You can use the following log analytics query to list the exact required FQDNs and then allow them explicitly in your firewall application rules:
\c.\ AzureDiagnostics | where Category == “AzureFirewallApplicationRule” | search “Deny” | search “gsm*eh.servicebus.windows.net” or “gsm*xt.blob.core. windows.net” or “gsm*xt.table.core.windows.net” | parse msg_s with Protocol “request from “SourceIP “:” SourcePort:int “to “FQDN “:” * | project TimeGenerated,Protocol,FQDN
\d.\ Create a network rule collection to add the following rules: for Allow DNS, allow traffic from your ADDS private IP address to * for TCP and UDP ports 53, and for Allow KMS, allow traffic from your Azure Virtual Desktop virtual machines to Windows Activation Service TCP port 1688.
Note Certain implementations may not require DNS rules; for instance, Azure Active Directory domain controllers forward DNS queries to Azure DNS at 168.63.129.16.