Required Outbound Internet Access from AVD Session Host VMs

Required Outbound Internet Access from AVD Session Host VMs

In some Azure environments, newly created session host VMs are restricted from connecting to the internet. This may be done with custom routing and network security groups (NSG) at the virtual network level or with proxy settings or custom security configurations pushed to the session host VMs via Active Directory GPO.

In order for Nerdio Manager to be able to automate the creation and management of AVD session host VMs, the following access to Azure and Microsoft services must be possible.

 

Address

Outbound TCP Port

Purpose

Service Tag

nmmstorageaccount.blob.core.windows.net

443

Nerdio

DSC extension

*.wvd.microsoft.com

443

Service Traffic

WindowsVirtualDesktop

*.prod.warm.ingest.monitor.core.windows.net

443

Agent Traffic

AzureCloud

catalogartifact.azureedge.net

443

Azure Marketplace

AzureFrontDoor.Frontend

kms.core.windows.net

1688

Windows Activation

Internet

azkms.core.windows.net

1688

Windows Activation

Internet

mrsglobalsteus2prod.blob.core.windows.net

443

Agent and SXS Stack Updates

AzureCloud

wvdportalstorageblob.blob.core.windows.net

443

Azure Portal Support

Azure Cloud

169.254.169.254

80

Azure Instance Metadata Service Endpoint

N/A

168.63.129.16

80

Session Host Health Monitoring

N/A

oneocsp.microsoft.com

80

Certificates

N/A

microsoft.com

80

Certificates

N/A

 

Important: Microsoft has finished transitioning the URLs listed in the table below that they use for Agent traffic. That is, they no longer support the URLs shown below. To avoid your session host VMs from showing Needs Assistance related to this, be sure to allow *.prod.warm.ingest.monitor.core.windows.net, if you have not already. In addition, be sure to remove these URLs if you have previously explicitly allowed them.

No Longer Supported

Address

Outbound TCP Port

Purpose

Service Tag

gcs.prod.monitoring.core.windows.net

443

Agent Traffic

AzureCloud

production.diagnostics.monitoring.core.windows.net

443

Agent Traffic

AzureCloud

*xt.blob.core.windows.net

443

Agent Traffic

AzureCloud

*eh.servicebus.windows.net

443

Agent Traffic

AzureCloud

*xt.table.core.windows.net

443

Agent Traffic

AzureCloud

*xt.queue.core.windows.net

443

Agent Traffic

AzureCloud

 

Aside from the above connections, some scripted actions pull binaries from various websites, such as Official Download pages and open-source GitHub repos. If scripted actions are not being used, these addresses can be ignored.

 

Address

Port

Scripted Action

Details

github.com

443

WVD Optimization

Fetches Additional Code

teams.microsoft.com

443

Install MS Teams

Downloads MS Teams Client

microsoft.com

443

Install Office 365

Download ODT Tool

support.zoom.us

443

Install Zoom VDI

Download Zoom VDI Client

 

If desired, it is possible to read the scripts and retrieve the appropriate downloads, then self-host the files and change the scripted action code to point to your own servers. This allows further control for heavily restricted environments, but may introduce increased maintenance and complexity.

Important Notes:

  • The Azure platform mounts an ISO file to the DVD-ROM when a Windows VM is created from a generalized image. For this reason, the DVD-ROM must be enabled in the OS in the generalized image. If it is disabled, the Windows VM is stuck at OOBE.

  • The Azure DSC extensions used by Nerdio Manager leverage PowerShell and WinRM. Be sure that WinRM is not disabled on session host VMs and that unsigned PowerShell scripts can be run on these VMs. If there is a GPO restricting WinRM, and/or unsigned scripts, exclude the OU that contains the session hosts or create a naming prefix exclusion.

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.