Public IP Ranges for WVD

Brass Contributor

Hello,

 

Are there any public IP address ranges/subnets specifically for connectivity to the Windows Virtual Desktop infrastructure?

 

We have a secure environment which requires us to whitelist IP addresses on our on-prem firewall for external internet access. I've found the list of IP segments for Azure datacenters (https://www.microsoft.com/en-gb/download/details.aspx?id=41653) but we can't really whitelist all of those IP segments just for connectivity to WVD.

 

Thanks,

Daniel

14 Replies

Hello @DanRobb,

We are working on documenting the IPs used for WVD services. I will update this post as soon as documentation will be published

@fdwl Thank you.

@fdwlIs there any update?

@DanRobb 

 

Similar issue. Any traction for a list?

Hi @fdwl 

 

Any update on this list please? We need to whitelist the ranges so we can secure connection to a DB instance in our Azure tenant.

 

Thank you.

Bumping this.  When trying to secure the WVD range behind an NVA (in this case, a Palo Alto) if you override the default route you break access to WVD from the rdweb portals.  Really need a list of IP addresses (or the ability to use microsoft managed service objects!! in the route table) to override.

@fdwl- I'd like this as well.  Can you provide a status update as to when we can expect it?  This is most useful when trying to convince clients to allow this on their network.  So far, all I can find is connections to IPs that I trace back to DNS requests to:

query.prod.cms.rt.microsoft.com
rdweb.wvd.microsoft.com

 

An IP list is most useful as not all network filters can trigger on URLs, though.

@jw6224 

 

Probably not complete, but here's the list I ended up with through trial and error.

 

network-object 104.208.0.0 255.248.0.0
network-object 13.104.0.0 255.252.0.0
network-object 13.107.246.10 255.255.255.255
network-object 13.64.0.0 255.224.0.0
network-object 13.96.0.0 255.248.0.0
network-object 137.116.0.0 255.255.0.0
network-object 137.135.0.0 255.255.0.0
network-object 151.101.248.133 255.255.255.255
network-object 152.199.4.0 255.255.255.0
network-object 20.36.0.0 255.252.0.0
network-object 204.79.195.0 255.255.255.0
network-object 204.79.196.0 255.255.254.0
network-object 23.100.64.0 255.255.248.0
network-object 23.102.128.0 255.255.192.0
network-object 23.37.68.220 255.255.255.255
network-object 40.126.0.0 255.255.0.0
network-object 40.64.0.0 255.248.0.0
network-object 40.71.0.0 255.255.0.0
network-object 40.90.0.0 255.255.0.0
network-object 40.90.23.0 255.255.255.0
network-object 51.143.0.0 255.255.128.0
network-object 52.109.0.0 255.255.252.0
network-object 52.112.0.0 255.252.0.0
network-object 52.125.0.0 255.255.0.0
network-object 52.132.0.0 255.252.0.0
network-object 52.136.0.0 255.248.0.0
network-object 52.146.0.0 255.254.0.0
network-object 52.152.0.0 255.248.0.0
network-object 52.165.0.0 255.255.0.0
network-object 52.177.0.0 255.255.0.0
network-object 52.224.0.0 255.224.0.0
network-object 52.239.246.0 255.255.254.0
network-object 52.96.0.0 255.240.0.0
network-object 72.21.0.0 255.255.0.0
network-object 96.6.16.17 255.255.255.255
network-object 23.102.135.246 255.255.255.255
network-object object URL-autologon.microsoftazuread-sso.com
network-object object URL-genevamondocs.azurewebsites.net
network-object object URL-global.metrics.nsatc.net
network-object object URL-login.windows.net
network-object object URL-mrsglobalsteus2prod.blob.core.windows.net
network-object object URL-prod.warmpath.msftcloudes.com
network-object object URL-prod2.metrics.nsatc.net
network-object object URL-prod3.metrics.nsatc.net
network-object object URL-prod4.metrics.nsatc.net
network-object object URL-prod5.metrics.nsatc.net
network-object object URL-production.diagnostics.monitoring.core.windows.net
network-object object URL-rdbroker-r0.wvd.microsoft.com
network-object object URL-rdbroker-r1.wvd.microsoft.com
network-object object URL-rdbroker.wvd.microsoft.com
network-object object URL-rddiagnostics-r0.wvd.microsoft.com
network-object object URL-rddiagnostics-r1.wvd.microsoft.com
network-object object URL-rddiagnostics.wvd.microsoft.com
network-object object URL-rdgateway-r0.wvd.microsoft.com
network-object object URL-rdgateway-r1.wvd.microsoft.com
network-object object URL-rdweb-r0.wvd.microsoft.com
network-object object URL-rdweb-r1.wvd.microsoft.com

@DanRobbWe are using a Standard Load Balancer so that our WVD hosts are all behind one IP.  Might be the solution you need.

@jasonhandThanks for your reply. That's useful to know (solves a totally different issue I'm currently working on) but won't work for this issue.

 

Since the session hosts establish a reverse connection with the RD Broker, we don't really need to know what the public IP addresses of the session hosts are. It's the rest of the WVD infrastructure that we need them for (RD Web Access, RD Broker, RD Diagnostics etc.).

 

Microsoft still haven't provided a list of WVD IP ranges. ScriptingJAK's list was created through trial and error, but Microsoft could add a new range or URL at any moment and break WVD connectivity for organisations that need to whitelist outbound internet connectivity.

 

 

Over 6 months have passed, do we have these IP addresses yet?

@DanRobb it seems these were just published at the Azure IP Ranges and Service Tags - Public Cloud link.  Awesome!

@Deleted 

https://docs.microsoft.com/en-us/azure/virtual-desktop/overview - we support Service Tag and FQDN Tag.

I really need a way for WVD sessions to be complaint for conditional access to work correctly - right now, I am (manually) setting the IP into a known locations list that is allowed in conditional access.  That is not sustainable.