I've set up Azure Virtual Desktop (AVD), and it works perfectly fine when the traffic is routed directly to the internet. Users can log in using their EntraID credentials without any issues. However, as soon as we configure it behind a firewall, the authentication to the virtual desktops fails. I've checked and confirmed that all the necessary firewall rules and NSGs are set to allow traffic from the virtual desktops, but it's still not working. Is there something else I might be missing that's preventing the traffic?
5 Answers
It's essential to remember that Microsoft doesn't tend to favor having its traffic inspected too heavily. If your firewall is set up for deep packet inspection, it might be causing issues. Just something to keep in mind!
Have you looked into the required endpoints for AVD? There's a Microsoft document that lists the specific FQDNs you need to keep open for it to function correctly. AVD needs to maintain a heartbeat with Microsoft infrastructure, so if you're blocking some web traffic, you might need to adjust your firewall rules accordingly. Check it out!
In the official documentation, there are mandatory firewall ports that need to be open alongside some 'recommended' ones. Many of these recommended settings are crucial for functionality. It's totally possible to run AVD behind a firewall using UDR as the next hop and it should work with both Service Tags and FQDN rules.
Good call! I often forget to look at those recommended settings.
Consider if STUN traffic could be an issue here. Sometimes third-party firewalls might be blocking that traffic even if you don't see any drops. It could be worth investigating!
Make sure that you've configured all the FQDNs and IPs for your session host VMs as specified in the documentation. It's critical for getting the AVD services to communicate correctly through the firewall.
Thanks for pointing that out! I'll double-check those firewall ports to make sure everything's set properly.