Azure Virtual Desktop connectivity to a application hosted on Azure VMs.

Occasional Contributor

I have a customer who is deploying Azure Virtual Desktops.  They are also looking to move an application to run on Azure VMs.  This application would use AAD authentication so there would be no need to have an S2S VPN.  What I am trying to figure out is how the users of the virtual desktops would get access to the application running on Azure VMs.  Is that something that can be done via remote apps so that I don't have to expose the application to the internet?  Do I have to setup something like Azure Firewall to put the application behind to then allow the users to securely access the application?



4 Replies
Here is a different way to look at this question. What is the best way for user of Azure Virtual Desktops to access and a web application running on VMs in the same subscription? Can that be done without exposing the web application to the internet?
You may try to publish the application on internal hostname or url and restrict Restrict the others except AVDs on NSG level to access the app.

Hi @David-Haver,


This should be absolutely possible. With AVD you fully control the networking setup and configure what VNet is used for session hosts. AVD session hosts are regular Azure VMs, so depending on some additional requirements you might have with regards to isolating your AVD environment and those business apps you plan to host on Azure VMs, you could either:

  • host application VMs in the same VNet as your AVD session hosts, only in a different subnet
  • host those VMs in a different VNet that could then be peered with the AVD Vnet

In both scenarios, you can use Network Security Groups to control what traffic from AVD hosts is permitted to your application VMs. There is no need to publish your app to the Internet (attach a public IP address to the VM), network traffic between session hosts and the app servers can stay private.

you can use remote application groups and then define how the user/devices that are allowed to access the remote application group either via Azure AD conditional policies and Microsoft Intune. also if you are using Hub and spoke architecture control the access via Azure firewall in total you need to use Azure AD conditional access , Microsoft Intune and NSG and Azure firewall to explore the available options