Forum Discussion
Public IP Ranges for WVD
Hello,
Are there any public IP address ranges/subnets specifically for connectivity to the Windows Virtual Desktop infrastructure?
We have a secure environment which requires us to whitelist IP addresses on our on-prem firewall for external internet access. I've found the list of IP segments for Azure datacenters (https://www.microsoft.com/en-gb/download/details.aspx?id=41653) but we can't really whitelist all of those IP segments just for connectivity to WVD.
Thanks,
Daniel
14 Replies
I really need a way for WVD sessions to be complaint for conditional access to work correctly - right now, I am (manually) setting the IP into a known locations list that is allowed in conditional access. That is not sustainable.
DanRobb it seems these were just published at the https://www.microsoft.com/en-us/download/details.aspx?id=56519 link. Awesome!
- PavithraT
Microsoft
Deleted
https://docs.microsoft.com/en-us/azure/virtual-desktop/overview - we support Service Tag and FQDN Tag.
Over 6 months have passed, do we have these IP addresses yet?
jasonhandThanks for your reply. That's useful to know (solves a totally different issue I'm currently working on) but won't work for this issue.
Since the session hosts establish a reverse connection with the RD Broker, we don't really need to know what the public IP addresses of the session hosts are. It's the rest of the WVD infrastructure that we need them for (RD Web Access, RD Broker, RD Diagnostics etc.).
Microsoft still haven't provided a list of WVD IP ranges. ScriptingJAK's list was created through trial and error, but Microsoft could add a new range or URL at any moment and break WVD connectivity for organisations that need to whitelist outbound internet connectivity.
fdwl- I'd like this as well. Can you provide a status update as to when we can expect it? This is most useful when trying to convince clients to allow this on their network. So far, all I can find is connections to IPs that I trace back to DNS requests to:
query.prod.cms.rt.microsoft.com
rdweb.wvd.microsoft.comAn IP list is most useful as not all network filters can trigger on URLs, though.
Probably not complete, but here's the list I ended up with through trial and error.
network-object 104.208.0.0 255.248.0.0
network-object 13.104.0.0 255.252.0.0
network-object 13.107.246.10 255.255.255.255
network-object 13.64.0.0 255.224.0.0
network-object 13.96.0.0 255.248.0.0
network-object 137.116.0.0 255.255.0.0
network-object 137.135.0.0 255.255.0.0
network-object 151.101.248.133 255.255.255.255
network-object 152.199.4.0 255.255.255.0
network-object 20.36.0.0 255.252.0.0
network-object 204.79.195.0 255.255.255.0
network-object 204.79.196.0 255.255.254.0
network-object 23.100.64.0 255.255.248.0
network-object 23.102.128.0 255.255.192.0
network-object 23.37.68.220 255.255.255.255
network-object 40.126.0.0 255.255.0.0
network-object 40.64.0.0 255.248.0.0
network-object 40.71.0.0 255.255.0.0
network-object 40.90.0.0 255.255.0.0
network-object 40.90.23.0 255.255.255.0
network-object 51.143.0.0 255.255.128.0
network-object 52.109.0.0 255.255.252.0
network-object 52.112.0.0 255.252.0.0
network-object 52.125.0.0 255.255.0.0
network-object 52.132.0.0 255.252.0.0
network-object 52.136.0.0 255.248.0.0
network-object 52.146.0.0 255.254.0.0
network-object 52.152.0.0 255.248.0.0
network-object 52.165.0.0 255.255.0.0
network-object 52.177.0.0 255.255.0.0
network-object 52.224.0.0 255.224.0.0
network-object 52.239.246.0 255.255.254.0
network-object 52.96.0.0 255.240.0.0
network-object 72.21.0.0 255.255.0.0
network-object 96.6.16.17 255.255.255.255
network-object 23.102.135.246 255.255.255.255
network-object object URL-autologon.microsoftazuread-sso.com
network-object object URL-genevamondocs.azurewebsites.net
network-object object URL-global.metrics.nsatc.net
network-object object URL-login.windows.net
network-object object URL-mrsglobalsteus2prod.blob.core.windows.net
network-object object URL-prod.warmpath.msftcloudes.com
network-object object URL-prod2.metrics.nsatc.net
network-object object URL-prod3.metrics.nsatc.net
network-object object URL-prod4.metrics.nsatc.net
network-object object URL-prod5.metrics.nsatc.net
network-object object URL-production.diagnostics.monitoring.core.windows.net
network-object object URL-rdbroker-r0.wvd.microsoft.com
network-object object URL-rdbroker-r1.wvd.microsoft.com
network-object object URL-rdbroker.wvd.microsoft.com
network-object object URL-rddiagnostics-r0.wvd.microsoft.com
network-object object URL-rddiagnostics-r1.wvd.microsoft.com
network-object object URL-rddiagnostics.wvd.microsoft.com
network-object object URL-rdgateway-r0.wvd.microsoft.com
network-object object URL-rdgateway-r1.wvd.microsoft.com
network-object object URL-rdweb-r0.wvd.microsoft.com
network-object object URL-rdweb-r1.wvd.microsoft.com
Bumping this. When trying to secure the WVD range behind an NVA (in this case, a Palo Alto) if you override the default route you break access to WVD from the rdweb portals. Really need a list of IP addresses (or the ability to use microsoft managed service objects!! in the route table) to override.
Hi fdwl
Any update on this list please? We need to whitelist the ranges so we can secure connection to a DB instance in our Azure tenant.
Thank you.
