Windows Virtual Desktop - Firewall Appliance

%3CLINGO-SUB%20id%3D%22lingo-sub-1211897%22%20slang%3D%22en-US%22%3EWindows%20Virtual%20Desktop%20-%20Firewall%20Appliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1211897%22%20slang%3D%22en-US%22%3E%3CP%3EHas%20anyone%20configured%20Windows%20virtual%20desktop%20session%20hosts%20traffic%20to%20be%20protected%20and%20put%20behind%20a%20virtual%20firewall%20appliance%3F%20By%20default%2C%20when%20deploying%20host%20pools%20there%20are%20no%20NSG%20configured.%20The%20step%20up%20from%20there%20is%20filtering%20the%20web%20and%20network%20traffic%20on%20these%20session%20hosts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20is%20the%20recommended%20and%20supported%20way%20to%20configure%20these%20and%20not%20break%20the%20Broker%2C%20load%20balancer%20and%20FSXLogic%20dependencies%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1211897%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWVD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1215887%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Virtual%20Desktop%20-%20Firewall%20Appliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1215887%22%20slang%3D%22en-US%22%3EI%20would%20like%20to%20know%20if%20this%20is%20already%20done%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1215893%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Virtual%20Desktop%20-%20Firewall%20Appliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1215893%22%20slang%3D%22en-US%22%3E%3CP%3ETried%20placing%20an%20NVA%20and%20it%20works%2C%20just%20a%20UDR%20for%20a%20default%20route%20is%20required%20on%20the%20WVD%20subnet%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1219749%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Virtual%20Desktop%20-%20Firewall%20Appliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219749%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F576661%22%20target%3D%22_blank%22%3E%40AlokSanyal09%3C%2FA%3E%26nbsp%3BThanks%20for%20the%20reply.%3C%2FP%3E%3CP%3EWhat%20outbound%20rules%20did%20you%20have%20to%20add%20to%20the%20firewall%3F%3C%2FP%3E%3CP%3EI'm%20assuming%20you%20changed%20the%20next%20hop%20for%200.0.0.0%2F0%20to%20your%20NVA%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1285352%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Virtual%20Desktop%20-%20Firewall%20Appliance%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285352%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F576661%22%20target%3D%22_blank%22%3E%40AlokSanyal09%3C%2FA%3E%26nbsp%3BI%20am%20trying%20to%20deploy%20the%20same%2C%20trying%20with%20Azure%20firewall%20to%20check%20if%20that%20works.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECan%20you%20throw%20some%20light%20on%20the%20UDR%20configuration%20when%20using%20a%20NVA%20here%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Has anyone configured Windows virtual desktop session hosts traffic to be protected and put behind a virtual firewall appliance? By default, when deploying host pools there are no NSG configured. The step up from there is filtering the web and network traffic on these session hosts.

 

What is the recommended and supported way to configure these and not break the Broker, load balancer and FSXLogic dependencies? 

4 Replies
I would like to know if this is already done?

Tried placing an NVA and it works, just a UDR for a default route is required on the WVD subnet

@AlokSanyal09 Thanks for the reply.

What outbound rules did you have to add to the firewall?

I'm assuming you changed the next hop for 0.0.0.0/0 to your NVA?

@AlokSanyal09 I am trying to deploy the same, trying with Azure firewall to check if that works.

 

Can you throw some light on the UDR configuration when using a NVA here?