Azure Virtual Desktop
A Microsoft desktop and app virtualization service that runs on Azure. Previously known as Windows Virtual Desktop.
1,763 questions
Azure AVD and Azure Firewall
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 61%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
TalaT
0
Reputation points
Dear Experts,
I have been pulling my hairs for some time getting the AVD behind Azure firewall premium working.
Following the steps explained below: I have tripple checked all the FQDNs and Service Tags are allowed (incl WindowsVirtualDesktop)
https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop
https://learn.microsoft.com/en-us/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure
https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal-policy
https://learn.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
As soon as I associated the subnet of AVD to the UDR forcing incoming/outgoing traffic Azure Firewall; the session host becomes unavailable in the host pool and remote desktop client is unable to connect.
I have an DNAT rule in firewall policy that translates 3389 on firewall public IP to the AVD private IP.
I have Network rules that allow all 443 on TCP (for testing).
When I disassociated the avd subnet from the UDR and connect to AVD; I see below errors in the application log (during the time when firewall is in between).
I have a network rule named "allow-AVD-Required02" that allows FQDNs:
0b18276f-ea9e-41a5-b682-bd96d6270d3c.rdbroker-g-au-r1.wvd.microsoft.com,0b18276f-ea9e-41a5-b682-bd96d6270d3c.rdbroker.wvd.microsoft.com,0b18276f-ea9e-41a5-b682-bd96d6270d3c.rddiagnostics-g-au-r1.wvd.microsoft.com,mrsglobalsteus2prod.blob.core.windows.net,login.microsoftonline.com,catalogartifact.azureedge.net,gcs.prod.monitoring.core.windows.net,azkms.core.windows.net,mrsglobalsteus2prod.blob.core.windows.net,wvdportalstorageblob.blob.core.windows.net,oneocsp.microsoft.com,www.microsoft.com,aka.ms,www.msftconnecttest.com
I can see below error in the AzureDiagnostics table in LA:
Failed to resolve FQDN 0b18276f-ea9e-41a5-b682-bd96d6270d3c.rdbroker-g-au-r1.wvd.microsoft.com. Error lookup 0b18276f-ea9e-41a5-b682-bd96d6270d3c.rdbroker-g-au-r1.wvd.microsoft.com on 127.0.0.53:53: read udp 10.26.65.6:13140->10.26.65.6:65053: read: connection refused; DNS resolution returned no IPs. Rule Collection: my-fwl-policy-01:fwl-policy:fwl-policy-avd-rcl-01. Rule: allow-AVD-Required02
My DNS Setting on firewall policy is below:
The AVD VNET as DNS setting pointing to the firewall private IP. I have tried disabling the DNS in firewall and removing firewall private ip from avd VNET DNS settings; but avd is still inaccessible.
Please Help!!!!!! :)
Azure Virtual Desktop
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 79%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3END%3C/text%3E%3C/svg%3E)
Nikhil Duserla 6,955 Reputation points Microsoft External Staff2025-04-21T12:22:22.62+00:00 Hello @TalaT,
Did you attempt to access the AVD host pool VMs before configuring the firewall?
-
TalaT 0 Reputation points
2025-04-21T12:45:03.4433333+00:00 Hi Nikhil,
Yes, the AVD was deployed before configuring the firewall. It works fine before forcing the traffic through the firewall in the user defined route below.
When I disassociate the route, the AVD becomes accessible.
-
JimmySalian-2011 42,451 Reputation points2025-04-21T14:29:58.11+00:00 Hi Talat,
I will suggest you to review the detailed article to integrate Azure Firewall and AVD over here - https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop?context=%2Fazure%2Fvirtual-desktop%2Fcontext%2Fcontext
Also there is Github repo for setting up the FW Policy, so worth checking it out for comparision and deploy - https://github.com/Azure/RDS-Templates/tree/master/AzureFirewallPolicyForAVD
Hope this helps.
JS
==
Please accept as answer and do a Thumbs-up to upvote this response if you are satisfied with the community help. Your upvote will be beneficial for the community users facing similar issues.
-
JimmySalian-2011 42,451 Reputation points
2025-04-21T14:30:58.3566667+00:00 Also to add there is a note
-
TalaT 0 Reputation points
2025-04-22T00:59:34.5266667+00:00 Thanks Jimmy, adding the route to the servicetag has improved the situation a bit.
The host pool now reports the AVD session host from Unavailable to Unhealthy.
Connecting from remote desktop client gets stuck at "Establishing Secure Connection".
I see below DNSQueries related to the urls: I have double checked these urls are allowed in network and app FQDN rules.
I am going to try deploying the FW policy from github to see if that helps.
https://github.com/Azure/RDS-Templates/tree/master/AzureFirewallPolicyForAVD
-
TalaT 0 Reputation points
2025-04-22T02:15:03.8866667+00:00 Just confirming that associating the firewall to the policy from GITHUB didn't resolve the issue. The AVD is inaccessible and shows up Unavailable in the host pool.
Route:
Github Template FW Policy:
I had to manually add DNAT rule which brings it back to "Need Assistance" state but unable to connect.
I can see same old errors in the AVD Host Event Log:
Sign in to comment
Sign in to answer