Jun 05 2019 02:22 AM
Hello,
Are there any public IP address ranges/subnets specifically for connectivity to the Windows Virtual Desktop infrastructure?
We have a secure environment which requires us to whitelist IP addresses on our on-prem firewall for external internet access. I've found the list of IP segments for Azure datacenters (https://www.microsoft.com/en-gb/download/details.aspx?id=41653) but we can't really whitelist all of those IP segments just for connectivity to WVD.
Thanks,
Daniel
Jun 14 2019 04:28 PM
Hello @DanRobb,
We are working on documenting the IPs used for WVD services. I will update this post as soon as documentation will be published
Nov 06 2019 03:33 AM
Hi @fdwl
Any update on this list please? We need to whitelist the ranges so we can secure connection to a DB instance in our Azure tenant.
Thank you.
Dec 26 2019 10:48 AM
Bumping this. When trying to secure the WVD range behind an NVA (in this case, a Palo Alto) if you override the default route you break access to WVD from the rdweb portals. Really need a list of IP addresses (or the ability to use microsoft managed service objects!! in the route table) to override.
Jan 23 2020 03:28 PM
@fdwl- I'd like this as well. Can you provide a status update as to when we can expect it? This is most useful when trying to convince clients to allow this on their network. So far, all I can find is connections to IPs that I trace back to DNS requests to:
query.prod.cms.rt.microsoft.com
rdweb.wvd.microsoft.com
An IP list is most useful as not all network filters can trigger on URLs, though.
Jan 23 2020 05:08 PM
Probably not complete, but here's the list I ended up with through trial and error.
network-object 104.208.0.0 255.248.0.0
network-object 13.104.0.0 255.252.0.0
network-object 13.107.246.10 255.255.255.255
network-object 13.64.0.0 255.224.0.0
network-object 13.96.0.0 255.248.0.0
network-object 137.116.0.0 255.255.0.0
network-object 137.135.0.0 255.255.0.0
network-object 151.101.248.133 255.255.255.255
network-object 152.199.4.0 255.255.255.0
network-object 20.36.0.0 255.252.0.0
network-object 204.79.195.0 255.255.255.0
network-object 204.79.196.0 255.255.254.0
network-object 23.100.64.0 255.255.248.0
network-object 23.102.128.0 255.255.192.0
network-object 23.37.68.220 255.255.255.255
network-object 40.126.0.0 255.255.0.0
network-object 40.64.0.0 255.248.0.0
network-object 40.71.0.0 255.255.0.0
network-object 40.90.0.0 255.255.0.0
network-object 40.90.23.0 255.255.255.0
network-object 51.143.0.0 255.255.128.0
network-object 52.109.0.0 255.255.252.0
network-object 52.112.0.0 255.252.0.0
network-object 52.125.0.0 255.255.0.0
network-object 52.132.0.0 255.252.0.0
network-object 52.136.0.0 255.248.0.0
network-object 52.146.0.0 255.254.0.0
network-object 52.152.0.0 255.248.0.0
network-object 52.165.0.0 255.255.0.0
network-object 52.177.0.0 255.255.0.0
network-object 52.224.0.0 255.224.0.0
network-object 52.239.246.0 255.255.254.0
network-object 52.96.0.0 255.240.0.0
network-object 72.21.0.0 255.255.0.0
network-object 96.6.16.17 255.255.255.255
network-object 23.102.135.246 255.255.255.255
network-object object URL-autologon.microsoftazuread-sso.com
network-object object URL-genevamondocs.azurewebsites.net
network-object object URL-global.metrics.nsatc.net
network-object object URL-login.windows.net
network-object object URL-mrsglobalsteus2prod.blob.core.windows.net
network-object object URL-prod.warmpath.msftcloudes.com
network-object object URL-prod2.metrics.nsatc.net
network-object object URL-prod3.metrics.nsatc.net
network-object object URL-prod4.metrics.nsatc.net
network-object object URL-prod5.metrics.nsatc.net
network-object object URL-production.diagnostics.monitoring.core.windows.net
network-object object URL-rdbroker-r0.wvd.microsoft.com
network-object object URL-rdbroker-r1.wvd.microsoft.com
network-object object URL-rdbroker.wvd.microsoft.com
network-object object URL-rddiagnostics-r0.wvd.microsoft.com
network-object object URL-rddiagnostics-r1.wvd.microsoft.com
network-object object URL-rddiagnostics.wvd.microsoft.com
network-object object URL-rdgateway-r0.wvd.microsoft.com
network-object object URL-rdgateway-r1.wvd.microsoft.com
network-object object URL-rdweb-r0.wvd.microsoft.com
network-object object URL-rdweb-r1.wvd.microsoft.com
Jan 24 2020 03:42 AM
@DanRobbWe are using a Standard Load Balancer so that our WVD hosts are all behind one IP. Might be the solution you need.
Jan 24 2020 04:09 AM
@jasonhandThanks for your reply. That's useful to know (solves a totally different issue I'm currently working on) but won't work for this issue.
Since the session hosts establish a reverse connection with the RD Broker, we don't really need to know what the public IP addresses of the session hosts are. It's the rest of the WVD infrastructure that we need them for (RD Web Access, RD Broker, RD Diagnostics etc.).
Microsoft still haven't provided a list of WVD IP ranges. ScriptingJAK's list was created through trial and error, but Microsoft could add a new range or URL at any moment and break WVD connectivity for organisations that need to whitelist outbound internet connectivity.
Jan 28 2020 05:56 AM
Over 6 months have passed, do we have these IP addresses yet?
May 18 2020 05:26 PM
@DanRobb it seems these were just published at the Azure IP Ranges and Service Tags - Public Cloud link. Awesome!
May 19 2020 03:02 PM
@Deleted
https://docs.microsoft.com/en-us/azure/virtual-desktop/overview - we support Service Tag and FQDN Tag.
May 29 2020 05:53 AM
I really need a way for WVD sessions to be complaint for conditional access to work correctly - right now, I am (manually) setting the IP into a known locations list that is allowed in conditional access. That is not sustainable.