Hi, during several of the last deployments I have been a part of, an issue about network traffic have come into the discussion.
Problem description: When NME is managing an AVD environment spread over multiple subscriptions with a private endpoint configuration, there is cases when following the MS Cloud Adoption Framework to implement security zones. Some of these zones are not allow to talk to each other, this causes a problem for AVD session hosts when deployed and managed by NME as the session host is required to talk to the storage account in the NME resource group. By the CAF security framework, this might not be possible and should not be allowed.
It would be great to have the ability to instruct the AVD session hosts where it can look for storage accounts inside its own subscription.
As an example:
Two security zones: Corp and Synt - separated by subscription (and vNet)
Both zones have AVD host pools in them for different use-cases.
Corp is allowed to talk to, retrieve and push data to all zones
Synt is not allowed to initiate any connection to Corp - making retrieving data not possible.
NME deployed in Corp, with Synt subscription added (Corp->Synt OK).
Most management elements from NME works fine.
When creating a new host in the Synt-based host-pool, this fails due to no access to the cssa* storageaccount in Corp (Synt->Corp blocked).
Possible solutions:
Create an app-setting or host-pool setting defining where the AVD session host is to collect its NME specific scripted actions etc.
Comments (0 comments)