Oct 13 2023 06:21 AM - edited Oct 13 2023 06:26 AM
Windows 365 has a range of connectivity requirements in terms of FQDNs which need to be accessible directly from the VNet for the service to be able to operate and users connect to their Cloud PC. As the service has grown and expanded, over time this list has grown at in parallel. Significant effort has been going on in the background by our fantastic engineering team to simplify and reduce these requirements and also abstract customers from future change where possible as the service expands and improves over time.
I’m pleased to announce Windows 365 customers will start to see the first of the improvements cumulating from this work start rolling out over the coming months. This has been relayed to customers via message center post ID MC675811 already but you’ll find more detail on this change below.
The first of these improvements revolves around the reduction of the required FQDNs for the service. Over the coming months we’ll be removing the use of a considerable number of the required FQDNs from the requirements, once this is fully complete, we’ll remove them from our docs page and at that point they can then be safely removed from any firewall rules etc. We will send out official communications to customers when this removal can be done. Following this initial phase, even more removals are planned in future as engineering work to facilitate this completes. In addition there are also other significant improvements being worked on which we’ll announce nearer the time they are ready to be released.
We’re moving a large number of the FQDNs to resolve under an existing wildcard FQDN *.infra.windows365.microsoft.com (*.infra.windows365.microsoft.us if within Windows 365 US Government environments) which has been part of the published endpoint requirements for a considerable amount of time. For example, an existing endpoint such as cpcsaamssa1prodprap01.blob.core.windows.net will now become accessible via something.infra.windows365.microsoft.com instead. As the wildcard means ‘anything’, this means we can create future endpoints inside this wildcard domain without the need for changes to your rulesets and configuration.
These changes are only for the Cloud PC side only. No access is required for these endpoints on the side of the physical device connecting to Windows 365.
For more information on these two network deployment models, see here.
There are numerous benefits accrued through this first phase of improvements:
As the endpoint we’re migrating to (*.infra.windows365.microsoft.com) has been in the published requirements for a considerable amount of time, it’s very likely that no change to configuration is necessary in most customer environments. However, you may want to ratify that this endpoint is accessible from your environments by doing the following.
Although this endpoint isn’t designed to be human accessible, If you wish to ratify that access is possible to *.infra.windows365.microsoft.com you can use the following methods:
Psping -n 5 saprod.infra.windows365.microsoft.com:443
You will again need to ensure this connection is routed directly out of the VNet and not via any SWG/Proxy infrastructure so as to ensure the direct path required for provisioning/operation is available. If successful you should see a response similar to that below: