How Does AVD Secure the Connection?
Azure Virtual Desktop utilizes TLS 1.2 for all connections initiated from the clients and session hosts to the Azure Virtual Desktop infrastructure components. For reverse connect transport, both the client and session hosts connect to the Azure Virtual Desktop gateway. After establishing the TCP connection, the client or session host validates the Azure Virtual Desktop gateway’s certificate. After establishing the base transport, RDP establishes a nested TLS connection between the client and session host using the session host’s certificates. By default, the certificate used for RDP encryption is self-generated by the OS during the deployment.
Implement and Manage Network Security
Before understanding how to manage network security in a Azure Virtual desktop, you as an Azure Virtual Desktop admin must remember that when an end user connects to an Azure Virtual Desktop environment, their session is run by a host pool. A host pool is nothing but a collection of Azure virtual machines that register to Azure Virtual Desktop as session hosts.
Since you will connect these virtual desktops remotely in your virtual network, they are subject to the virtual network security controls. They need outbound Internet access to the Azure Virtual Desktop service to operate properly and might also need outbound Internet access for end users. Azure Firewall is an essential part of the network security, and it can assist you in locking down your environment and filtering outbound traffic.
The “Filtering outbound traffic” option allows only required connections, and unwanted traffic you can drop at the firewall level. Figure 4-33 shows the Azure Virtual Desktop Security system.
Figure 4-33. Azure Virtual Desktop Security system
Additionally, Figure 4-33 provides additional protection for your Azure Virtual Desktop host pool using Azure Firewall.