Dean, thanks for making these videos, great content and to the point! I will watch more of your backlog, I do however get quite distracted by the background music loop. Please consider lowering the volume of the music track or removing it entirely during the tutorial part.
thanks Dean, great start to the micro series. what would be your opinion on the fundamental reason a company would want to deploy Azure Firewall as opposed to just using NSG's/UDR's? Purely administration and scale? what you see as key differentiators?
Good question Danny. NSGs are simple access control lists. They are not intelligent and they do not have a lot of monitoring and analytics. You get these features in the firewall. Also with NSGs you need 1 per subnet and/or 1 per network card on the VMs. The firewall is a central management point which is simpler. Finally the feature set if the firewall. More options for managing the rules...like URL filtering including wildcards, NAT rules and other Azure services that are more specific than the NSGs
@@AzureAcademy thanks Dean .... so the way I read that is that for a simple WVD specific deployment NSG's are more than sufficient. When considering scale, enhanced monitoring/analytics and additional services/capabilities then an Azure FW makes sense, is that fair to say?
Great video and Series overall! Newb at this Azure sec stuff, what routes/rules would I need to set if I have a ipsec site-to-site from the Azure vnet into our on-prem firewall? The tunnel is there for our Azure VMs to be able to reach our on-prem AD DC
In Azure you need a user defined route to send traffic to on prem since the default route sends traffic to the internet. As for the on prem side...not sure what you need vs. what you have
@@AzureAcademy My goal was to control user internet access and block unwanted sites. been using pfsense free edition on-prem for years so it was the first to research. here's an article found on building a vhd image and import to an azure vm, www.christofvg.be/2019/01/12/pfSense-on-Azure-Part-1-Create-pfSense-Virtual-Machine/. still fighting pfsense problems but workable.
To direct internet bound traffic in Azure to a firewall, or on prem before the internet you need a route table. Set the "NEXT HOP" to be your firewall's IP Address...unless it is the Azure Gateway to on prem...then use the Gateway checkbox. then when traffic goes to 0.0.0.0/0 it will follow your custom route.
I am assuming you are referring to the NSG rules here...you are correct that the 65001 rule allowed all outbound traffic...the point of this section was rather to show how to add the WVD rules into the NSG in case you wanted to block all outbound access, except for what you explicitly allow...good catch.
good thinking Lucas. This depends on how you want to implement it. You could open a port in the firewall, or open the storage service. You can also enable the storage service endpoint...or use privatelink as well. Lots of options...if you are not sure which is right for you search my channel for those services and check out the videos we have done.
when i want to enable one storage account with Port 445, do i have to setup all ~200 IP Adresses from the Microsoft DCs in the firewall? Or how can this easy be done?
Hi Dean, on 9:28, do we need to create inbound and outbound rule for domain controller traffic? If the host pool subnet and domain controller subnet are within the same VNET?
No because the traffic would not leave the subnet...however this is not a recommended implementation. Domain controllers are high value assets and should be protected in a separate subnet and depart resource group so you can isolate the permissions to get to them and isolate the network permissions, routing and rule sets
Since the new ARM based WVD is still in preview are there are avenues for support for issues? I was having an issue with assigning users but resolved that but making myself a owner of the resource group but now having an issue where is I want to add hosts it wants me to create a Registration key. I do that and it says successful but the key never shows up and I can't add hosts. We have MS support so I can open a case but are they prepared to work on the new model and there is not a WVD category to ask the case be assigned to on the web.
you can get support like you do for all other Azure issues...put in a support ticket through the portal. Support is not SLA based so they will get to the issue as they can. When the new portal is GA then support will have SLAs. The other thing I would suggest is to create or check if the reg key was created in PowerShell. run Get-AzWvdHostPool or (Get-AzWvdHostPool).RegistrationInfoToken
Hi Dean. This is really good content. Is there anyway that WVD can only be accessed inside corporate network using VPN? I know wvd can be accessed anywhere in the world but I really need to restrict access and only through vpn can you log in and access WVD.
Since Azure Virtual Desktop is accessible over the public the internet, and the connection starts with the AVD Client…which could be anywhere in the world, the ONLY way to lock it down to internal users or VPN users is to use Azure AD Conditional Access Policies. Watch this video and let me know if you have questions th-cam.com/video/31DQ8JuLQes/w-d-xo.html
@@AzureAcademy Hi Dean, thanks for the response. We do have conditional access in place and only trusted ip's are allowed. It works, however, we noticed after being authenticated and then diaconnect from the vpn, you are still able to connect to the virtual desktop. We want to make sure that once you disconnected from vpn the only way to access the virtual desktop is to connect to the vpn again.
Not at this time…but private link is generally ac way to connect from your Azure network securely and directly to Azure PaaS solutions like storage or SQL. In the case of AVD connections are made from a client, somewhere in the world, to the AVD service…so on the client side private link doesn’t apply
So you need to cut off access to the AVD application from all IPs that are not on your VPN range, or your Corp net. Effectively blocking any public IP traffic You would probably do this as the location Block all IPs then make an exception for you VPN range
Hi Dean, good video. If you have a site to site IPSec VPN to WVD azure is it possible for the end clients/users which are internal to the network to access WVD through this VPN without going over the public internet? My business has workstations which for security reasons are not internet enabled, currently using VMWare Horizon OnPrem
Yes but you would have to force tunnel your internet traffic from the WVD VMs to a firewall or on prem network before it goes to the internet and to the WVD Service
Azure Academy been looking at this and we have setup forces tunnelling which works fine, all internet traffic from the WVD VMs going out the onprem internet link. The one thing we can’t get over is that the internal workstation needs to sign in over the internet first using rdweb.WVD.Microsoft.com to access their VM. Is it possible to to sign in with WVD azure through the tunnel and not over the internet?
How would you access Office 365 resources when you have Azure Firewall enabled on our host pool VMs restricting access to the web? Should we whitelist the list of IPs provided by Microsoft in that case?
Great question. Here is the doc for all the Office365 URLs and IP ranges - docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges You can add them to the firewall just like the other URLs we added. The other option is to put the IP ranges into your route table to bypass the firewall and go direct to the internet.
I also just found and tried this script from GitHub which will take a little setup and do some of this work for you. You have to setup an Azure Automation Account and import some PowerShell modules...and change the values on line 118-120 for your resource group and network etc... Then it will create Azure Route Tables and put all the Office IP Ranges in there to route to the internet github.com/ManCalAzure/AzureLabs/blob/master/O365_IP_ADDRESSES_TO_UDR/O365-IP-ADDRESSES-TO-UDR.ps1
i created a new Routing Table and cant set my Vnet with the Firewall. I created a Route with "0.0.0.0/0" and the first Roule can only be set to next Hop "Internet". Sounds strange, since i want all Traffic routing into my firewall. Do i have to setup something else?
Additionally, when you set the routes, you have 4 options. 1. Route Name 2. Address Prefix 3. Next Hop Type 4. Next Hop Address Name is easy, address prefix is where you want to get to, like 0.0.0.0/0 (internet) Next Hope Type can be Gateway - to go on prem Virtual Network - Standard Azure Routing Internet - standard Azure internet outbound traffic Virtual Appliance - This is Azure Firewall or any other firewall / router in Azure None - Blackhole. Do you NOT see all those options?
@@AzureAcademy hi thanks for the input. I checked it again and i saw, that i selected RT to Firewall Subnet. That cause the issue. Thanks a lot works now :)
Dean, thanks for making these videos, great content and to the point! I will watch more of your backlog, I do however get quite distracted by the background music loop. Please consider lowering the volume of the music track or removing it entirely during the tutorial part.
Thank you for the feedback, I will see that I can do with the background music
you have been done an amazing work by collecting how-to info from MSFT docs and put in quick videos! Congrats. : )
Thanks Rudnei USA!
Sure helps to get an overview of WVB & its access/security administration. Thank you
All kinds of good videos on the channel! If you want something I don’t have, let me know…always looking for new ideas 😄
@@AzureAcademy I'll bare that in mind.
🙌
Thanks for showing us how to get to custom Azure Images. I wasted a lot of time on Friday. So simple when you know how. Thank you. :-D
LOL no worries! Happy that you have it working!
Thanks for this great explanation of the spring update of wvd!
Happy to help Mr. IT !
thanks Dean, great start to the micro series.
what would be your opinion on the fundamental reason a company would want to deploy Azure Firewall as opposed to just using NSG's/UDR's? Purely administration and scale? what you see as key differentiators?
Good question Danny. NSGs are simple access control lists. They are not intelligent and they do not have a lot of monitoring and analytics. You get these features in the firewall.
Also with NSGs you need 1 per subnet and/or 1 per network card on the VMs.
The firewall is a central management point which is simpler.
Finally the feature set if the firewall. More options for managing the rules...like URL filtering including wildcards, NAT rules and other Azure services that are more specific than the NSGs
@@AzureAcademy thanks Dean .... so the way I read that is that for a simple WVD specific deployment NSG's are more than sufficient. When considering scale, enhanced monitoring/analytics and additional services/capabilities then an Azure FW makes sense, is that fair to say?
Yes I believe that is fair. 😊
This was good.. Very clear setup. Thank you
Anytime Marko!
Great video and Series overall! Newb at this Azure sec stuff, what routes/rules would I need to set if I have a ipsec site-to-site from the Azure vnet into our on-prem firewall? The tunnel is there for our Azure VMs to be able to reach our on-prem AD DC
In Azure you need a user defined route to send traffic to on prem since the default route sends traffic to the internet.
As for the on prem side...not sure what you need vs. what you have
wow another one, 21. this series is great. I was just testing pfsense in azure, can't wait to see your solution.
Thanks Richard! I haven't used PFSense...do you have a doc or a video for how to deploy it in Azure?
@@AzureAcademy My goal was to control user internet access and block unwanted sites. been using pfsense free edition on-prem for years so it was the first to research. here's an article found on building a vhd image and import to an azure vm, www.christofvg.be/2019/01/12/pfSense-on-Azure-Part-1-Create-pfSense-Virtual-Machine/. still fighting pfsense problems but workable.
Thanks for the doc...I will check it out!
Great Dean ... Thanks
My pleasure!
Hi Dean, Thank you so much for your awesome videos, pls help me how to route WVD outbound internet traffic to On-prem
To direct internet bound traffic in Azure to a firewall, or on prem before the internet you need a route table. Set the "NEXT HOP" to be your firewall's IP Address...unless it is the Azure Gateway to on prem...then use the Gateway checkbox. then when traffic goes to 0.0.0.0/0 it will follow your custom route.
Confused why you are opening ports to WVD services, Azure Cloud, Azure KMS when you have the whole Internet outbound still open (priority 65001.)
I am assuming you are referring to the NSG rules here...you are correct that the 65001 rule allowed all outbound traffic...the point of this section was rather to show how to add the WVD rules into the NSG in case you wanted to block all outbound access, except for what you explicitly allow...good catch.
@@AzureAcademy got it, thank you!
@@AzureAcademy and if you are using FSLogix with Azure Files wouldn't you need an specific rule for that as well?
good thinking Lucas. This depends on how you want to implement it. You could open a port in the firewall, or open the storage service.
You can also enable the storage service endpoint...or use privatelink as well.
Lots of options...if you are not sure which is right for you search my channel for those services and check out the videos we have done.
👍
Good micro series video, waiting for the next video sessions.
Thanks...the next one is on Identity Security...stay tuned!
when i want to enable one storage account with Port 445, do i have to setup all ~200 IP Adresses from the Microsoft DCs in the firewall? Or how can this easy be done?
You can use a service tag
Or use private link...which will give you 1 IP that represents storage...and you write your rules for that
@@AzureAcademy yeah but on my region, isnt it shown. So can i just select them all?
You mean your region doesn't have private link???
you can write a rule that applies the entire subnet as well.
Hi Dean, on 9:28, do we need to create inbound and outbound rule for domain controller traffic? If the host pool subnet and domain controller subnet are within the same VNET?
No because the traffic would not leave the subnet...however this is not a recommended implementation. Domain controllers are high value assets and should be protected in a separate subnet and depart resource group so you can isolate the permissions to get to them and isolate the network permissions, routing and rule sets
Since the new ARM based WVD is still in preview are there are avenues for support for issues? I was having an issue with assigning users but resolved that but making myself a owner of the resource group but now having an issue where is I want to add hosts it wants me to create a Registration key. I do that and it says successful but the key never shows up and I can't add hosts. We have MS support so I can open a case but are they prepared to work on the new model and there is not a WVD category to ask the case be assigned to on the web.
you can get support like you do for all other Azure issues...put in a support ticket through the portal.
Support is not SLA based so they will get to the issue as they can. When the new portal is GA then support will have SLAs.
The other thing I would suggest is to create or check if the reg key was created in PowerShell.
run Get-AzWvdHostPool or (Get-AzWvdHostPool).RegistrationInfoToken
Hi Dean. This is really good content. Is there anyway that WVD can only be accessed inside corporate network using VPN? I know wvd can be accessed anywhere in the world but I really need to restrict access and only through vpn can you log in and access WVD.
Since Azure Virtual Desktop is accessible over the public the internet, and the connection starts with the AVD Client…which could be anywhere in the world, the ONLY way to lock it down to internal users or VPN users is to use Azure AD Conditional Access Policies. Watch this video and let me know if you have questions
th-cam.com/video/31DQ8JuLQes/w-d-xo.html
@@AzureAcademy Do we hav an option to Use Private Link
@@AzureAcademy Hi Dean, thanks for the response. We do have conditional access in place and only trusted ip's are allowed. It works, however, we noticed after being authenticated and then diaconnect from the vpn, you are still able to connect to the virtual desktop. We want to make sure that once you disconnected from vpn the only way to access the virtual desktop is to connect to the vpn again.
Not at this time…but private link is generally ac way to connect from your Azure network securely and directly to Azure PaaS solutions like storage or SQL. In the case of AVD connections are made from a client, somewhere in the world, to the AVD service…so on the client side private link doesn’t apply
So you need to cut off access to the AVD application from all IPs that are not on your VPN range, or your Corp net. Effectively blocking any public IP traffic
You would probably do this as the location
Block all IPs then make an exception for you VPN range
Hi Dean, good video. If you have a site to site IPSec VPN to WVD azure is it possible for the end clients/users which are internal to the network to access WVD through this VPN without going over the public internet? My business has workstations which for security reasons are not internet enabled, currently using VMWare Horizon OnPrem
Yes but you would have to force tunnel your internet traffic from the WVD VMs to a firewall or on prem network before it goes to the internet and to the WVD Service
Azure Academy been looking at this and we have setup forces tunnelling which works fine, all internet traffic from the WVD VMs going out the onprem internet link. The one thing we can’t get over is that the internal workstation needs to sign in over the internet first using rdweb.WVD.Microsoft.com to access their VM. Is it possible to to sign in with WVD azure through the tunnel and not over the internet?
Yes in the firewall rules, use the AVD service tags
How would you access Office 365 resources when you have Azure Firewall enabled on our host pool VMs restricting access to the web? Should we whitelist the list of IPs provided by Microsoft in that case?
Great question. Here is the doc for all the Office365 URLs and IP ranges - docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
You can add them to the firewall just like the other URLs we added.
The other option is to put the IP ranges into your route table to bypass the firewall and go direct to the internet.
@@AzureAcademy Thanks for your inputs.
I also just found and tried this script from GitHub which will take a little setup and do some of this work for you.
You have to setup an Azure Automation Account and import some PowerShell modules...and change the values on line 118-120 for your resource group and network etc...
Then it will create Azure Route Tables and put all the Office IP Ranges in there to route to the internet
github.com/ManCalAzure/AzureLabs/blob/master/O365_IP_ADDRESSES_TO_UDR/O365-IP-ADDRESSES-TO-UDR.ps1
@@AzureAcademy Amazing! This is very useful. Thanks again.
Happy to help!
hi for some reason i don't have the selection to choose a Routingtable 14:15
i created a new Routing Table and cant set my Vnet with the Firewall. I created a Route with "0.0.0.0/0" and the first Roule can only be set to next Hop "Internet". Sounds strange, since i want all Traffic routing into my firewall. Do i have to setup something else?
If the route table isn’t in the drop down that is normally because route table is in a different region than your VNET
Additionally, when you set the routes, you have 4 options.
1. Route Name
2. Address Prefix
3. Next Hop Type
4. Next Hop Address
Name is easy, address prefix is where you want to get to, like 0.0.0.0/0 (internet)
Next Hope Type can be
Gateway - to go on prem
Virtual Network - Standard Azure Routing
Internet - standard Azure internet outbound traffic
Virtual Appliance - This is Azure Firewall or any other firewall / router in Azure
None - Blackhole.
Do you NOT see all those options?
@@AzureAcademy hi thanks for the input. I checked it again and i saw, that i selected RT to Firewall Subnet. That cause the issue. Thanks a lot works now :)
👍👍