Network Security for AVD
Complete the full lesson to earn 25 points
Work through each section, then tap “Mark as Complete” on the last one.
✦ Skip the page breaks and see fewer ads — read each lesson on a single page with Pro
Network Security for Azure Virtual Desktop (AVD)
Introduction: Why Network Security is the Foundation of AVD
When you deploy Azure Virtual Desktop (AVD), you are essentially extending your corporate workspace into the cloud. Unlike traditional on-premises Virtual Desktop Infrastructure (VDI), where the network perimeter is physically defined by firewalls and internal switches, AVD operates in a shared-responsibility model. This means that while Microsoft manages the underlying infrastructure, the security of the network traffic, access controls, and data flow is entirely in your hands. If you fail to secure the network, you are essentially leaving the front door of your virtual office unlocked for anyone to walk through.
Network security for AVD is not just about blocking unauthorized traffic; it is about creating a "zero-trust" environment where every connection is verified, every path is encrypted, and every resource is segmented. Because AVD users connect from various locations—home offices, coffee shops, and branch offices—the attack surface is dynamic and unpredictable. By mastering network security, you ensure that your intellectual property remains protected, your users experience minimal latency, and your compliance posture remains audit-ready. This lesson will guide you through the architecture, implementation, and maintenance of a secure AVD network environment.
Core Architecture of AVD Networking
To secure AVD, you must first understand how the traffic flows. AVD is a managed service, meaning the control plane (the "brain" of the operation) is hosted by Microsoft. However, your session hosts (the virtual machines where users actually work) reside in your Azure Virtual Network (VNet).
The Three Pillars of AVD Traffic
- The Control Plane Traffic: This is the communication between the AVD client and the Microsoft-managed service. It handles authentication, connection brokering, and management. This traffic is almost always handled over HTTPS (Port 443) and is inherently encrypted by Microsoft.
- The Session Traffic: This is the RDP (Remote Desktop Protocol) traffic between the user and the virtual machine. Modern AVD uses RDP Shortpath or standard reverse connect transport, which minimizes the need for inbound ports.
- The Backend Traffic: This is the communication between your session hosts and your internal resources, such as Active Directory (AD) Domain Controllers, File Servers (for FSLogix profiles), and SQL databases.
Callout: The "Reverse Connect" Concept In older VDI solutions, you had to open inbound ports on your firewall to allow traffic to reach your virtual desktops. This was a major security risk. AVD uses a "Reverse Connect" mechanism. The virtual machine initiates an outbound connection to the AVD service, and the service then "hooks" the user's incoming request onto that existing outbound connection. This means you do not need to open any inbound ports on your network firewall for AVD traffic.
Securing the Virtual Network (VNet)
Your VNet is the container for your AVD session hosts. If the VNet is insecure, the hosts inside it are vulnerable. We implement security here using a layered approach.
1. Network Security Groups (NSGs)
An NSG is a virtual firewall that acts as a filter for traffic going to and from your virtual machines. You should associate an NSG with every subnet where your AVD session hosts reside.
Best Practices for NSGs:
- Default Deny All: Always start with a rule that denies all inbound traffic. Only create explicit "Allow" rules for what is strictly necessary.
- Limit Outbound Access: Many organizations forget that malicious code on a desktop can try to "phone home." Restrict the outbound traffic from your session host subnet to only the necessary Azure services and internal resources.
- Use Service Tags: Instead of hardcoding IP addresses for Azure services (which change frequently), use Service Tags. For example, allow traffic to
WindowsVirtualDesktopandAzureCloudrather than specific IP ranges.
2. Application Security Groups (ASGs)
Managing individual IP addresses for hundreds of session hosts is a nightmare. ASGs allow you to group virtual machines based on their role. You can then write a rule that says "Allow SQL traffic from the 'AVD-Host-ASG' to the 'Database-ASG'." This makes your security policy readable and manageable.
3. Implementing Azure Firewall
While NSGs are great for basic filtering, they are "stateless" or basic stateful packet filters. They do not inspect the content of the traffic. For higher security requirements, you should deploy Azure Firewall at the hub level of a Hub-and-Spoke topology.
- FQDN Filtering: You can restrict traffic to specific domain names. For example, you can allow your AVD hosts to talk to
*.microsoft.comwhile blocking everything else. - Threat Intelligence: Azure Firewall has built-in threat intelligence that can automatically block traffic to known malicious IP addresses or domains.
Practical Implementation: Configuring Network Security
Let’s look at how to implement these controls using Azure CLI. This ensures your deployment is repeatable and documented.
Step 1: Create a Network Security Group
First, we create an NSG to serve as our base security layer.
# Create the NSG
az network nsg create \
--resource-group AVD-RG \
--name AVD-SessionHost-NSG
# Create a rule to allow internal AD communication (Example)
az network nsg rule create \
--resource-group AVD-RG \
--nsg-name AVD-SessionHost-NSG \
--name Allow-AD-Traffic \
--priority 100 \
--destination-port-ranges 389 636 88 464 \
--protocol Tcp \
--access Allow
Step 2: Configure Service Tags
When configuring your rules, always prefer Service Tags over raw IPs. This is a critical security maintenance practice.
Warning: Hardcoded IPs Never hardcode public IP addresses of Microsoft services in your NSG rules. These IP ranges are updated weekly. If you use hardcoded IPs, your AVD environment will eventually break when Microsoft updates their infrastructure. Always use the
Service Tagfeature.
Step 3: Enabling Private Endpoints for Storage
Your AVD session hosts likely use Azure Files for FSLogix profile storage. By default, these storage accounts might be accessible over the public internet. You must disable public access and use a Private Endpoint.
- Navigate to your Storage Account in the Azure Portal.
- Go to "Networking."
- Select "Private endpoint connections."
- Create a new Private Endpoint that maps to your VNet.
- Set the firewall to "Enabled from selected virtual networks and IP addresses."
This ensures that the traffic between your session hosts and your user profiles never touches the public internet.
Traffic Inspection and Monitoring
Security is not a "set and forget" task. You need visibility into what is happening on your network.
Azure Network Watcher
Network Watcher provides tools to monitor, diagnose, and view metrics for resources in an Azure VNet. Use NSG Flow Logs to see which traffic is being allowed or denied by your NSGs. If a user complains they cannot reach a resource, the Flow Logs will tell you exactly which rule blocked the packet.
Azure Monitor and Log Analytics
Send your NSG logs to a Log Analytics workspace. You can then write Kusto Query Language (KQL) queries to identify suspicious patterns.
Example KQL Query to find denied traffic:
AzureNetworkAnalytics_CL
| where FlowStatus_s == "D"
| project TimeGenerated, SrcIP_s, DestIP_s, DestPort_d, L7Protocol_s
| sort by TimeGenerated desc
This query helps you identify if a specific host is attempting to connect to unauthorized internal segments, which could be a sign of a compromised machine scanning the network.
Comparison: NSG vs. Azure Firewall
| Feature | Network Security Group (NSG) | Azure Firewall |
|---|---|---|
| Scope | Subnet or NIC level | VNet or Hub-and-Spoke level |
| Filtering Type | IP, Port, Protocol | FQDN, URL, IP, Port, Protocol |
| Intrusion Detection | No | Yes (IDPS) |
| Management | Distributed | Centralized |
| Cost | Free | Paid (throughput based) |
Best Practices for AVD Network Security
1. Hub-and-Spoke Topology
Always deploy your AVD session hosts in a "Spoke" VNet and route all internet-bound traffic through a "Hub" VNet where your centralized Azure Firewall resides. This prevents your session hosts from having direct internet access.
2. Disable Public IP Addresses
Your session hosts should never have Public IP addresses attached to their network interfaces. All communication should be routed through your NAT Gateway or Azure Firewall. If a VM has a Public IP, it is directly exposed to the entire internet for port scanning.
3. Use Bastion for Management
If you need to RDP into a session host for troubleshooting, do not open port 3389. Use Azure Bastion. It allows you to connect to your virtual machines through the Azure Portal over SSL, keeping your management traffic off the open internet.
4. Implement Just-in-Time (JIT) Access
If you are using Microsoft Defender for Cloud, enable JIT VM Access. This allows you to open management ports only for a specific window of time (e.g., 2 hours) when an admin needs to perform maintenance. Once the time expires, the port is automatically closed.
Callout: The Principle of Least Privilege Network security is the digital equivalent of the Principle of Least Privilege. If a session host does not need to talk to a database server, do not create an NSG rule allowing it. If a subnet does not need to talk to the internet, do not configure a route to the internet gateway. Restricting the "blast radius" of a potential compromise is the most effective security strategy.
Common Pitfalls and How to Avoid Them
Pitfall 1: Overly Permissive Rules
Many administrators start by creating an "Allow Any-Any" rule to get the environment working quickly. They often forget to remove this rule after the Proof of Concept.
- Solution: Use the "Deny All" rule at the bottom of your NSG and audit your rules every month to ensure they are still required.
Pitfall 2: Neglecting DNS Security
If your session hosts cannot resolve internal domain names, they will fail to join the domain or mount profiles. However, using public DNS for internal resources can lead to DNS hijacking.
- Solution: Use Azure Private DNS Zones. Link these zones to your VNet to ensure that all DNS resolution for your internal infrastructure happens over the private Azure backbone, not over the internet.
Pitfall 3: Ignoring Regional Latency
In an attempt to secure the network, some admins route all traffic through a firewall located in a different region. This adds significant latency to the RDP session, leading to a poor user experience.
- Solution: Keep your network security controls within the same region as your AVD session hosts to maintain performance.
Advanced Security: RDP Shortpath
RDP Shortpath is a feature that improves the performance of the remote desktop connection by establishing a direct transport between the client and the session host. While this sounds like a security risk, it is actually highly secure.
It uses ICE (Interactive Connectivity Establishment) to negotiate a direct connection, but it still requires the user to authenticate via the AVD control plane. The traffic is encrypted using DTLS (Datagram Transport Layer Security). By using Shortpath, you reduce the load on your Azure Firewall or NAT Gateway, as the bulk of the session traffic bypasses it.
Enabling RDP Shortpath
To implement this securely, ensure your NSGs allow inbound UDP traffic from the client's IP range to the session host's range on the ports negotiated by ICE. Since this is dynamic, you should use the AVD-native configuration which manages these ports automatically.
Identity as the New Perimeter
While this lesson focuses on network security, it is impossible to discuss it without mentioning identity. If an attacker gains valid user credentials, they can bypass your network controls by logging in as a legitimate user.
- Conditional Access: Always pair your network security with Azure AD Conditional Access. For example, you can create a policy that says: "Only allow connections to AVD if the user is using a managed, compliant device, and they are connecting from a known corporate IP range."
- Multi-Factor Authentication (MFA): This is non-negotiable. Even if your network is perfectly secure, a single phished password can grant access to your AVD environment. MFA adds the necessary second layer of defense.
Troubleshooting Network Issues in AVD
Even with the best design, issues will arise. Here is a systematic approach to troubleshooting:
- Check the AVD Agent: On the session host, check the AVD agent logs. If the agent cannot talk to the AVD service, the host will show as "Unavailable." This is usually a DNS issue or a blocked outbound port (443).
- Verify NSG Rules: Use the "IP Flow Verify" tool in Network Watcher. You can input the source IP, destination IP, and port to see if a specific NSG rule is blocking the traffic.
- Test Internal Connectivity: Use
Test-NetConnectionfrom within the session host to verify connectivity to your file servers (port 445) or Domain Controllers.Test-NetConnection -ComputerName FileServer01 -Port 445 - Check for "Asymmetric Routing": If you have a complex network with multiple firewalls or VPN tunnels, traffic might go out one path and try to come back another. This will cause the firewall to drop the packets. Ensure your routing tables are symmetrical.
Summary and Key Takeaways
Securing the network for Azure Virtual Desktop is a multi-layered discipline that requires a deep understanding of Azure networking primitives. By following the best practices outlined in this lesson, you can build a resilient, high-performance, and secure virtual desktop environment.
Key Takeaways:
- Adopt a Zero-Trust Mindset: Assume the network is hostile. Never trust traffic simply because it originates from inside your VNet. Use NSGs and ASGs to enforce the principle of least privilege.
- Leverage Native Azure Security: Use Azure Firewall for FQDN-based filtering and Threat Intelligence, and utilize Azure Bastion to eliminate the need for open management ports like 3389.
- Prioritize Identity: Network security is ineffective if identity is compromised. Always enforce MFA and use Conditional Access policies to restrict access based on device health and location.
- Automate and Standardize: Use Infrastructure as Code (like Terraform or Bicep) to deploy your network security components. This ensures that every VNet is configured consistently and reduces the risk of human error.
- Monitor Constantly: Enable NSG Flow Logs and use Log Analytics to maintain visibility. If you aren't looking at your logs, you aren't managing your security.
- Use Private Endpoints: Keep all backend traffic (FSLogix profiles, SQL, AD) off the public internet by utilizing Private Link and Private Endpoints.
- Keep it Performant: Don't sacrifice user experience for security. Use features like RDP Shortpath to optimize traffic flow while maintaining encryption standards.
By treating network security as an ongoing process rather than a one-time configuration, you ensure that your AVD environment remains a safe and productive space for your users, regardless of where they choose to work. Remember that the security landscape is constantly evolving; stay informed about new Azure features and update your security posture accordingly.
Frequently Asked Questions (FAQ)
Q: Do I need to open port 3389 for AVD? A: No. AVD uses a reverse-connect transport mechanism. The session host initiates an outbound connection to the AVD service, meaning no inbound ports need to be opened on your network firewall.
Q: What is the difference between an NSG and an ASG? A: An NSG is the resource that contains the rules (the firewall). An ASG is a logical grouping of virtual machines (a tag) that you can use as a source or destination in those rules.
Q: Is Azure Firewall required for AVD? A: It is not strictly required, but it is highly recommended for production environments where you need to filter traffic by FQDN or require centralized management of security policies across multiple VNets.
Q: How do I handle FSLogix profile traffic? A: You should store FSLogix profiles on Azure Files and access them via a Private Endpoint. This keeps the traffic inside your private network and prevents exposure to the public internet.
Q: What should I do if my session hosts are not showing as "Available"?
A: First, verify that the AVD agent is running on the host. Then, check your outbound rules to ensure the host can reach the required Microsoft service endpoints (e.g., *.wvd.microsoft.com). Finally, check your DNS settings to ensure the host can resolve your internal domain name.
Enjoying the courses?
Everything stays free. Pro shows fewer ads, doubles your daily points limit so you progress twice as fast, and lets you read each lesson on one page.
- ✓ Fewer advertisements
- ✓ 2× daily points limit
- ✓ Distraction-free lessons