Required Outbound Internet Access from AVD Session Host VMs
In some Azure environments, newly created session host VMs are restricted from connecting to the internet. This may be done with custom routing and network security groups (NSG) at the virtual network level or with proxy settings or custom security configurations pushed to the session host VMs via Active Directory GPO.
In order for Nerdio Manager to be able to automate the creation and management of AVD session host VMs, the following access to Azure and Microsoft services must be possible.
Note: For additional information, or URLs required for Azure US Government tenants, see Required URL List.
Address |
Outbound TCP Port |
Purpose |
Service Tag |
|---|---|---|---|
login.microsoftonline.com |
443 |
Authentication to Microsoft Online Services |
N/A |
nmwextensions.blob.core.windows.net |
443 |
Nerdio |
|
*.wvd.microsoft.com |
443 |
Service Traffic |
|
*.prod.warm.ingest.monitor.core.windows.net |
443 |
Agent Traffic |
AzureCloud |
catalogartifact.azureedge.net |
443 |
Azure Marketplace |
AzureFrontDoor.Frontend |
gcs.prod.monitoring.core.windows.net |
443 |
Agent Traffic |
AzureCloud |
kms.core.windows.net |
1688 |
Windows Activation |
Internet |
azkms.core.windows.net |
1688 |
Windows Activation |
Internet |
mrsglobalsteus2prod.blob.core.windows.net |
443 |
Agent and SXS Stack Updates |
AzureCloud |
wvdportalstorageblob.blob.core.windows.net |
443 |
Azure Portal Support |
Azure Cloud |
169.254.169.254 |
80 |
N/A |
|
168.63.129.16 |
80 |
N/A |
|
oneocsp.microsoft.com |
80 |
Certificates |
N/A |
www.microsoft.com |
80 |
Certificates |
N/A |
Important: Microsoft has finished transitioning the URLs listed in the table below that they use for Agent traffic. That is, they no longer support the URLs shown below. To avoid your session host VMs from showing Needs Assistance related to this, be sure to allow *.prod.warm.ingest.monitor.core.windows.net, if you have not already. In addition, be sure to remove these URLs if you have previously explicitly allowed them.
Address |
Outbound TCP Port |
Purpose |
Service Tag |
|---|---|---|---|
production.diagnostics.monitoring.core.windows.net |
443 |
Agent Traffic |
AzureCloud |
*xt.blob.core.windows.net |
443 |
Agent Traffic |
AzureCloud |
*eh.servicebus.windows.net |
443 |
Agent Traffic |
AzureCloud |
*xt.table.core.windows.net |
443 |
Agent Traffic |
AzureCloud |
*xt.queue.core.windows.net |
443 |
Agent Traffic |
AzureCloud |
Azure Virtual Desktop session hosts require additional ports opened when making use of file shares for FSLogix. Please see this Microsoft article for additional information on FSLogix network requirements.
Address |
Outbound TCP Port |
Purpose |
Service Tag |
|---|---|---|---|
[FQDN of storage] |
445 |
SMB access to FSlogix file shares |
N/A |
The following table lists optional URLs that your session host virtual machines might also need to access for other services:
| Address | Outbound TCP Port |
Purpose |
|---|---|---|
login.windows.net |
443 |
Sign in to Microsoft Online Services and Microsoft 365 |
*.events.data.microsoft.com |
443 |
Telemetry Service |
www.msftconnecttest.com |
443 |
Detects if the session host is connected to the internet |
*.prod.do.dsp.mp.microsoft.com |
443 |
Windows Update |
*.sfx.ms |
443 |
Updates for OneDrive client software |
*.digicert.com |
443 |
Certificate revocation check |
*.azure-dns.com |
443 |
Azure DNS resolution |
*.azure-dns.net |
443 |
Azure DNS resolution |
raw.githubusercontent.com |
443 |
NVIDIA GPU drivers |
download.microsoft.com |
443 |
NVIDIA GPU drivers |
Aside from the above connections, some scripted actions and Nerdio Manager functions pull binaries from various websites, such as Official Download pages and open-source GitHub repos. You should include these addresses in your firewall exclusions if you make use of automated deployment for the applications listed.
Address |
Port |
Scripted Action |
Details |
|---|---|---|---|
github.com |
443 |
WVD Optimization |
Fetches Additional Code |
teams.microsoft.com |
443 |
Install MS Teams |
Downloads MS Teams Client |
microsoft.com |
443 |
Install Office 365 |
Download ODT Tool |
support.zoom.us |
443 |
Install Zoom VDI |
Download Zoom VDI Client |
s3.amazonaws.com |
443 |
Install ControlUp Agent |
Downloads the ControlUp agent |
If desired, it is possible to read the scripts and retrieve the appropriate downloads, then self-host the files and change the scripted action code to point to your own servers. This allows further control for heavily restricted environments, but may introduce increased maintenance and complexity.
Important Notes:
The Azure platform mounts an ISO file to the DVD-ROM when a Windows VM is created from a generalized image. For this reason, the DVD-ROM must be enabled in the OS in the generalized image. If it is disabled, the Windows VM is stuck at OOBE.
The Azure DSC extensions used by Nerdio Manager leverage PowerShell and WinRM. Be sure that WinRM is not disabled on session host VMs and that unsigned PowerShell scripts can be run on these VMs. If there is a GPO restricting WinRM, and/or unsigned scripts, exclude the OU that contains the session hosts or create a naming prefix exclusion.
Comments (0 comments)