Required Outbound Internet Access from AVD Session Host VMs
In some Azure environments, newly created session host VMs are restricted from connecting to the internet. This may be done with custom routing and network security groups (NSG) at the virtual network level or with proxy settings or custom security configurations pushed to the session host VMs via Active Directory GPO.
In order for Nerdio Manager to be able to automate the creation and management of AVD session host VMs, the following access to Azure and Microsoft services must be possible.
Address | Outbound TCP Port | Purpose | Service Tag |
---|---|---|---|
nmmstorageaccount.blob.core.windows.net | 443 | Nerdio | |
*.wvd.microsoft.com | 443 | Service Traffic | |
*.prod.warm.ingest.monitor.core.windows.net | 443 | Agent Traffic | AzureCloud |
catalogartifact.azureedge.net | 443 | Azure Marketplace | AzureFrontDoor.Frontend |
kms.core.windows.net | 1688 | Windows Activation | Internet |
azkms.core.windows.net | 1688 | Windows Activation | Internet |
mrsglobalsteus2prod.blob.core.windows.net | 443 | Agent and SXS Stack Updates | AzureCloud |
wvdportalstorageblob.blob.core.windows.net | 443 | Azure Portal Support | Azure Cloud |
169.254.169.254 | 80 | N/A | |
168.63.129.16 | 80 | N/A | |
oneocsp.microsoft.com | 80 | Certificates | N/A |
microsoft.com | 80 | Certificates | N/A |
Important: Microsoft has finished transitioning the URLs listed in the table below that they use for Agent traffic. That is, they no longer support the URLs shown below. To avoid your session host VMs from showing Needs Assistance related to this, be sure to allow *.prod.warm.ingest.monitor.core.windows.net, if you have not already. In addition, be sure to remove these URLs if you have previously explicitly allowed them.
Address | Outbound TCP Port | Purpose | Service Tag |
---|---|---|---|
gcs.prod.monitoring.core.windows.net | 443 | Agent Traffic | AzureCloud |
production.diagnostics.monitoring.core.windows.net | 443 | Agent Traffic | AzureCloud |
*xt.blob.core.windows.net | 443 | Agent Traffic | AzureCloud |
*eh.servicebus.windows.net | 443 | Agent Traffic | AzureCloud |
*xt.table.core.windows.net | 443 | Agent Traffic | AzureCloud |
*xt.queue.core.windows.net | 443 | Agent Traffic | AzureCloud |
Aside from the above connections, some scripted actions pull binaries from various websites, such as Official Download pages and open-source GitHub repos. If scripted actions are not being used, these addresses can be ignored.
Address | Port | Scripted Action | Details |
---|---|---|---|
github.com | 443 | WVD Optimization | Fetches Additional Code |
teams.microsoft.com | 443 | Install MS Teams | Downloads MS Teams Client |
microsoft.com | 443 | Install Office 365 | Download ODT Tool |
support.zoom.us | 443 | Install Zoom VDI | Download Zoom VDI Client |
If desired, it is possible to read the scripts and retrieve the appropriate downloads, then self-host the files and change the scripted action code to point to your own servers. This allows further control for heavily restricted environments, but may introduce increased maintenance and complexity.
Important Notes:
The Azure platform mounts an ISO file to the DVD-ROM when a Windows VM is created from a generalized image. For this reason, the DVD-ROM must be enabled in the OS in the generalized image. If it is disabled, the Windows VM is stuck at OOBE.
The Azure DSC extensions used by Nerdio Manager leverage PowerShell and WinRM. Be sure that WinRM is not disabled on session host VMs and that unsigned PowerShell scripts can be run on these VMs. If there is a GPO restricting WinRM, and/or unsigned scripts, exclude the OU that contains the session hosts or create a naming prefix exclusion.
Comments (0 comments)