Jun 05 2019 02:22 AM
Jun 05 2019 02:22 AM
Are there any public IP address ranges/subnets specifically for connectivity to the Windows Virtual Desktop infrastructure?
We have a secure environment which requires us to whitelist IP addresses on our on-prem firewall for external internet access. I've found the list of IP segments for Azure datacenters (https://www.microsoft.com/en-gb/download/details.aspx?id=41653) but we can't really whitelist all of those IP segments just for connectivity to WVD.
Dec 26 2019 10:48 AM
Bumping this. When trying to secure the WVD range behind an NVA (in this case, a Palo Alto) if you override the default route you break access to WVD from the rdweb portals. Really need a list of IP addresses (or the ability to use microsoft managed service objects!! in the route table) to override.
Jan 23 2020 03:28 PM
@fdwl- I'd like this as well. Can you provide a status update as to when we can expect it? This is most useful when trying to convince clients to allow this on their network. So far, all I can find is connections to IPs that I trace back to DNS requests to:
An IP list is most useful as not all network filters can trigger on URLs, though.
Jan 23 2020 05:08 PM
Probably not complete, but here's the list I ended up with through trial and error.
network-object 188.8.131.52 255.248.0.0
network-object 184.108.40.206 255.252.0.0
network-object 220.127.116.11 255.255.255.255
network-object 18.104.22.168 255.224.0.0
network-object 22.214.171.124 255.248.0.0
network-object 126.96.36.199 255.255.0.0
network-object 188.8.131.52 255.255.0.0
network-object 184.108.40.206 255.255.255.255
network-object 220.127.116.11 255.255.255.0
network-object 18.104.22.168 255.252.0.0
network-object 22.214.171.124 255.255.255.0
network-object 126.96.36.199 255.255.254.0
network-object 188.8.131.52 255.255.248.0
network-object 184.108.40.206 255.255.192.0
network-object 220.127.116.11 255.255.255.255
network-object 18.104.22.168 255.255.0.0
network-object 22.214.171.124 255.248.0.0
network-object 126.96.36.199 255.255.0.0
network-object 188.8.131.52 255.255.0.0
network-object 184.108.40.206 255.255.255.0
network-object 220.127.116.11 255.255.128.0
network-object 18.104.22.168 255.255.252.0
network-object 22.214.171.124 255.252.0.0
network-object 126.96.36.199 255.255.0.0
network-object 188.8.131.52 255.252.0.0
network-object 184.108.40.206 255.248.0.0
network-object 220.127.116.11 255.254.0.0
network-object 18.104.22.168 255.248.0.0
network-object 22.214.171.124 255.255.0.0
network-object 126.96.36.199 255.255.0.0
network-object 188.8.131.52 255.224.0.0
network-object 184.108.40.206 255.255.254.0
network-object 220.127.116.11 255.240.0.0
network-object 18.104.22.168 255.255.0.0
network-object 22.214.171.124 255.255.255.255
network-object 126.96.36.199 255.255.255.255
network-object object URL-autologon.microsoftazuread-sso.com
network-object object URL-genevamondocs.azurewebsites.net
network-object object URL-global.metrics.nsatc.net
network-object object URL-login.windows.net
network-object object URL-mrsglobalsteus2prod.blob.core.windows.net
network-object object URL-prod.warmpath.msftcloudes.com
network-object object URL-prod2.metrics.nsatc.net
network-object object URL-prod3.metrics.nsatc.net
network-object object URL-prod4.metrics.nsatc.net
network-object object URL-prod5.metrics.nsatc.net
network-object object URL-production.diagnostics.monitoring.core.windows.net
network-object object URL-rdbroker-r0.wvd.microsoft.com
network-object object URL-rdbroker-r1.wvd.microsoft.com
network-object object URL-rdbroker.wvd.microsoft.com
network-object object URL-rddiagnostics-r0.wvd.microsoft.com
network-object object URL-rddiagnostics-r1.wvd.microsoft.com
network-object object URL-rddiagnostics.wvd.microsoft.com
network-object object URL-rdgateway-r0.wvd.microsoft.com
network-object object URL-rdgateway-r1.wvd.microsoft.com
network-object object URL-rdweb-r0.wvd.microsoft.com
network-object object URL-rdweb-r1.wvd.microsoft.com
Jan 24 2020 04:09 AM
@jasonhandThanks for your reply. That's useful to know (solves a totally different issue I'm currently working on) but won't work for this issue.
Since the session hosts establish a reverse connection with the RD Broker, we don't really need to know what the public IP addresses of the session hosts are. It's the rest of the WVD infrastructure that we need them for (RD Web Access, RD Broker, RD Diagnostics etc.).
Microsoft still haven't provided a list of WVD IP ranges. ScriptingJAK's list was created through trial and error, but Microsoft could add a new range or URL at any moment and break WVD connectivity for organisations that need to whitelist outbound internet connectivity.
May 19 2020 03:02 PM
May 19 2020 03:02 PM
https://docs.microsoft.com/en-us/azure/virtual-desktop/overview - we support Service Tag and FQDN Tag.
May 29 2020 05:53 AM
I really need a way for WVD sessions to be complaint for conditional access to work correctly - right now, I am (manually) setting the IP into a known locations list that is allowed in conditional access. That is not sustainable.