Harden Nerdio Manager

Harden Nerdio Manager

By restricting network traffic, Nerdio Manager can be hardened in the following areas:

  • Storage Accounts: These are used by both AVD and Nerdio Manager to store various sorts of data. Most notably, storage accounts are used for holding end-user's FSLogix Profiles, boot diagnostics, custom scripted actions, and MSIX app attach packages.

  • SQL: Nerdio Manager relies on communication between two Azure PaaS services: Azure App Service and Azure SQL Database. By default, this communication is encrypted with Transport Layer Security, and data at rest is also encrypted using Transparent Data Encryption.

  • App Service: The entry point into the Nerdio Manager application is the App Service. By default, the Nerdio Manager App Service is protected with Entra ID authentication, including MFA and conditional access, and is accessible from any internet location. 

  • Key Vaults: Key Vaults allow for the secure storage and access of secrets. These include API keys, passwords, and certificates. SQL connectivity is also dependent on the key vault due to this being the storage location for the SQL connection string.

Note: This topic discusses hardening Nerdio Manager using a script. You may manually harden Nerdio Manager components. For details, see the following topics:

An Azure runbooks script is available to add private endpoints and service endpoints to allow the Nerdio Manager app service to communicate with the SQL database and the Azure Key Vault over a private network, with no traffic routed over the public internet. Access to the SQL database and the Azure Key Vault is restricted to the private network.

Note: When enabling private endpoints, if the storage account that stores scripted actions is made private, then Azure runbooks scripted actions stop working. The fix for this is to use the Hybrid Worker option with scripted actions. The Hybrid Worker VM needs to be on a VNet that has access to the storage account. If using the private endpoint script, that means the Hybrid Worker VM needs to be on the peered VNet or the private endpoints VNet that the private endpoint script creates.


  • The App Service Plan, which is essentially the "performance tier" for the server that is hosting the app, must support VNet integration. Please see this Microsoft article for details on supported plans.

  • A virtual network (VNet) that can be used to connect to the App Service and the Storage Account. This virtual network needs outbound access for Nerdio Manager to talk to Nerdio licensing servers via HTTPS (TCP/443).

Warning: Variables specified in clear text are visible in the Azure Automation logs. To pass sensitive data use Global Secure Variables. See Scripted Actions Global Secure Variables for details.

To harden Nerdio Manager:

  1. Navigate to Scripted Actions > Azure runbooks.

  2. Find the script Enable Private Endpoints.

  3. From the action menu, select either Run now or Schedule.

  4. Enter the following optional values:

    • PeerVnetId: Optionally, type the Resource ID for an existing network.

      Note: This is the Resource ID of the VNet to peer to the private endpoint VNet. Supplying a Resource ID for an existing network causes that network to be peered to the new private network. Nerdio recommends against peering to other production networks in hardened scenarios, unless (1) access to storage account has been restricted, or (2) the app service has been configured as private.

    • StorageAccountResource: Optionally, type the storage account to be included in private endpoint subnet.

      Note: Access to this storage account is restricted to Nerdio Manager and peered VNets. This parameter only accepts a single storage account, which should be an Azure Files location.

    • MakeAppServicePrivate: Set to true to limit access to the Nerdio Manager application.

      Note: If set to true, only hosts on the VNet created by this script, or on peered VNets, are able to access the app service URL.

  5. Once you have entered all the desired information, select Run now (not scheduled) or Save & close (scheduled).



Nerdio Manager is Veracode verified

Was this article helpful?

0 out of 0 found this helpful
Have more questions? Submit a request

Comments (0 comments)

Please sign in to leave a comment.