Skip to main content
HashnodeAn Azure Cloud Lab Journey...

Command Palette

Search for a command to run...

Azure Private Link for Azure Virtual Desktop

Published
4 min read
A
Amir Rouhanipoor

I’m Amir Rouhanipoor, an IT Consultant specializing in Azure and cloud solutions. I help organizations streamline their IT and drive growth through secure, efficient cloud technologies.

Part of seriesAZ-140

Securing Your Azure Virtual Desktop with Private Link: A Three-Tiered Approach

Azure Virtual Desktop (AVD) offers enhanced security by integrating with Azure Private Link. This allows you to keep your AVD traffic within your private network, shielding it from the public internet. Private Link for AVD operates across three distinct workflows, each requiring specific private endpoint configurations:

  1. Initial Feed Discovery (Global): This is like finding the AVD directory. It lets users see all the workspaces assigned to them. For this, you need one private endpoint connected to the global sub-resource. Think of it as a single, central access point. Crucially, you only need one of these per AVD deployment, regardless of how many workspaces you have.

  2. Feed Download (Per Workspace): Once users know their workspaces, they need the connection details. This is the feed download. Here, you'll need a separate private endpoint for the feed sub-resource in each workspace you want accessible via Private Link. Each workspace gets its own private "download station."

  3. Connections to Host Pools (Per Host Pool): Finally, the actual connection to the virtual desktops themselves. This involves the host pools. Similar to feed download, you need a separate private endpoint for the connection sub-resource in each host pool you want to secure with Private Link. Each host pool gets its own private "connection tunnel."

Flexible Implementation Options:

You have flexibility in how you use these private endpoints:

  • Fully Private: All three workflows (feed discovery, feed download, and connections) use Private Link. Maximum security.

  • Hybrid Approach 1: Feed download and connections are private, but initial feed discovery uses public routes. A balance of security and convenience.

  • Hybrid Approach 2: Only connections are private. Feed discovery and download use public routes. Focuses security on the actual desktop sessions.

  • Public Only: No Private Link used. All traffic goes over the public internet. Least secure, but simplest to set up.

By understanding these three workflows and the different implementation options, you can tailor your Private Link strategy to meet your specific security and accessibility needs for Azure Virtual Desktop. What specific scenario are you considering? Perhaps securing access for remote workers, or connecting your on-premises environment? Let's explore how Private Link fits into your plans!

Tasks

1. Re-register the Azure Virtual Desktop Resource Provider

  1. Sign in to the Azure portal.

  2. Navigate to Subscriptions > select your subscription > Resource providers.

  3. Search for Microsoft.DesktopVirtualization and click Re-register.

2. Create an Azure Virtual Network Subnet

  1. Go to Virtual networks > select your vnet (e.g. az140-vnet11e).

  2. Under Settings, select Subnets > + Subnet.

  3. Configure:

    • Name: pe-Subnet

    • Starting address: 10.20.255.0

  4. Click Add.

3. Implement Private Endpoints

For Host Pool Connections:

  1. Go to Azure Virtual Desktop > Host pools > select your host pool (e.g.az140-21-hp1).

  2. Under Networking, select Private endpoint connections > + New private endpoint.

  3. Configure:

    • Resource Group: az140-11e-RG

    • Name: az140-11-pehp1

    • Region: East US

    • Target sub-resource: connection

    • Virtual Network: az140-vnet11e, Subnet: pe-Subnet

    • Enable Private DNS integration

  4. Click Create.

For Feed Download:

  1. Go to Azure Virtual Desktop > Workspaces > select az140-21-ws1.

  2. Under Networking, select Private endpoint connections > + New private endpoint.

  3. Configure:

    • Name: az140-11-pefeeddwnld

    • Target sub-resource: feed

    • Use the same network settings as above.

For Initial Feed Discovery:

  1. Repeat the steps above with:

    • Name: az140-11-pefeeddisc

    • Target sub-resource: global

4. Validate Private Endpoint Functionality

  1. Disable public access:

    • Azure Virtual Desktop > Workspaces > az140-21-ws1 > Networking > Disable public access.

    • Azure Virtual Desktop > Host pools > az140-21-hp1 > Networking > Disable public access.

  2. Restart session hosts:

    • Navigate to Host pools > Session hosts.

    • Select all hosts > Click Restart.

  3. Validate by connecting an RDP client with private network access.

Key Takeaways

✔️ Azure Private Link secures AVD connections.

✔️ Private endpoints are needed for feed discovery, feed download, and host pool connections.

✔️ Private DNS integration ensures proper name resolution.

✔️ Public access should be disabled for full security.

89 views

Comments

Join the discussion

No comments yet. Be the first to comment.

AZ-140

Part 3 of 10

All my notes on AZ-140

Up next

Power Management Auto Scaling in AVD

Click here for the github version of Microsoft ESI lab. Configure autoscaling for an Azure Virtual Desktop environment to optimize resource utilization by dynamically scaling session hosts based on demand. Note: To enable autoscale for Azure Virtual ...

More from this blog

A

An Azure Cloud Lab Journey...

45 posts