Network Security Group - Outbound Security Rules for VNET isolation

Copper Contributor

Are there any Microsoft documented recommendations for mandatory NSG Outbound Security Rules for Azure Virtual Desktop?


Key requirment is to ensure there is VNET to VNET isolation.


Thanks in advance.

3 Replies
NSGs will come baked in with default Outbound rules. Any custom rules is entirely up to the customer. If you do not want session hosts to talk to other session hosts, deploy them on separate vNETs and, ideally, separate host pools.
Hi kjones.

So we currently have environments on seperate VNETs., host pools, etc, however the default nsg outbound security rules allows traffic outbound to any other VNET. More than likely we just need a deny rule that takes precendence over the default VNET to VNET allow.

Redsman13, thanks for the clarification! By default, vNETs cannot talk to each other unless they are peered. As long as you do not peer them together, resources on separate vNETs cannot talk to each other unless they are resources with public endpoints (ex. Storage Accounts, Azure SQL Database, etc.)