Problem:
NME doesn't support associating Application Security Groups (ASG) with session host VM NICs during deployment. It should!
Vision:
Add a drop-down menu for Application Security Group association in the Security section of the Virtual Machine tab of the host pool settings, much like how the one for Disk encryption sets exists today:
If an ASG isn't available/needed/desired/selected, the drop-down menu could just say “None”.
Description:
In a Zero Trust deployment, each session host VM NIC is deployed and associated with an ASG. This ASG is then referenced in the Network Security Group (NSG) rules associated with the subnet for session host VMs. Traffic inbound to these session hosts is allowed with the named ASG instead of an IP address range. A deny rule is used further down the NSG rule priority list to block any traffic not explicitly allowed.
This also allows the session host VMs and private endpoints for an AVD workload to coexist in the same subnet. This subnet can then be expanded to fill the full address space allocated to the AVD workload. This avoids the IP address waste involved with chopping up the VNet's address space into a subnet for session hosts with a separate subnet for a handful of private endpoints for storage and key vaults.
An ASG for the private endpoints would also be used, but I'm not looking for NME to manage that at this time, as there are other items to consider, like private endpoint network policy, best managed with an IaC deployment template.
Today, this ASG association can be done with a custom Azure Policy per host pool, but if it was able to be done in NME, that'd be way easier.
Comments (3 comments)