Configuring Private Access to Azure Virtual Desktop (AVD) in 2023

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello and welcome to another tutorial by Happy Cloud Solutions today we'll be looking at configuring private access to Azure virtual desktop so an Azure virtual desktop is basically a desktop and app virtualization service that runs on the cloud it can be used to set up multisession and even single session for your environment at work if you need um your team members to access a particular set of instances at the same time that serve the same purpose you can basically use an Azure virtual desktop an alternative for this is something called a citric S farm and this is outside the solution provided by Microsoft Azure so today we'll be looking at and implementing this architecture so the architecture you're seeing right here is basically a high level diagram that shows how the private link securely connects a local client to the Azure virtual Desktop Service in this tutorial we will be creating a vnet subnet and an NSG that's a network security group we'll be creating an a virtual desktop we'll disable Public Access public access to host pool we create private endpoints we disable public access to workspace and create a VM in our internal Network and a Bastion host to text access so basically we since the connection is going to be blocked from Public Access we want to create a VM in the internal network of the private endpoint and then create a Bastion host which will now enable us to be in that same network and then we'll be able to access the avd privately if you have a virtual private Network that's a VPN already set up in your office then you don't need a Bastion host you can just you know set up a route which ensures that every traffic that flows from a particular range of ips has to pass through your private endpoint subnet and we'll see that so now we are in the Azure portal and the first thing we're going to do here is to enable a feature called the Azure V virtual desktop private link in case you don't have have this done already you go to your Azure subscription you go to your preview f is currently this is no more in preview but you can find this here type private and click on search and just wait for it to load it's going to bring out a list of features this feature was released in 2021 so it is not private you can use this in your production environment all right so this is the future I'm talking about which is the Azure Vetra desktop private link so right now I have it registered but if you do not have it registered in your environment all you have to do is to click here register and that will do it now the next thing we'll be doing is to create a virtual Network that we're going to use for these service so I would go to Virtual networks and I'll create one all right I will put it in a resarch group called avd resarch group and my V Network could be avd vet yes you guessed right so next enable Azure Bastion I won't do that now next and so what I'm going to do is I'm going to delete this subnet cuz it's not the IP range I want to use I'm going to use 172 2.0.0 sl16 and I'm going to create two subnets the first one will be the avd subnet and I'll call it avd hyphen subnet and this will use 17221 do2 and I'll add this and then I'm going to create another one and this is the private endpoint subnet so the private endpoint and the virtual machines itself are going to see on different Subs so now I'll put this on 21.3 and add so now that we've done that um the next is to review and create create and now we wait so the avd vnet has created successfully and as you can see here the two subnet which we created the avd subnet and P subnet have also been created so now the next thing we'll be looking at is to create the vual desktop so we basically type vual desktop up there and go to V your desktop so right now we're going to create a host poool Resource Group Remains the Same host pool I'll just give it a name and for my region Australia is xtop pull type I'm going to say pulled because it's going to be multiple using it for breath first I'm going to choose depth for load balancing algorithm I'm going to choose depth first depth first means that if I say maximum of users are two then that means for X number of instances so let me say if the number of instances in my session host is three so that means when the first instance is a capacity of 2 people it will take the third person to the second instance so when the second instance is marked at two it's going to take the fifth person to the next instance so that's how it is next is creation of vetal Machin I'm going to select yes so the prefix would be AV D VM and still Australia is no infrastructure because this is just a demo and not for production standard so for image I'm going to select window sent Enterprise multi session right and I'll just reduce the size to something small since this is just for a demo and I'll choose this next I'm going to say I just want two VMS for OS dis type htd leave that as it is we created avd vnet earlier so I'll select that and I'm going to use avd subnet Okay so so now the next is to select you know the entra types I'm going to select Microsoft entra ID for enrollment with in tune um if you select yes then you can enroll your VM with in tune for this I'm just going to leave it as no because I don't want to enroll it to In Tune at the moment username just give it the username so this is the username that you could you you use to log into the inst is all right next workspaces leave that as it is leave that as it is review plus create validation passed so I'm just going to click create so this is going to take some time to create because it's creating different resources at once so I'm just going to pause here and come back when we're done creating this aure V desktop has been created successfully and we can see the host pool that was created with here so there's the host pool here and if you click on it you see two virtual machines are connected and then there's also the application group that's also created with it something else that we need to create which was not created earlier and which you can actually create during the initial avd creation is the workspace so right now I'm just going to click on create workspace and select the same Resource Group and I'll just give this a name and friendly name I we just say avd workspace so location Australia is always Australia is and you have to attach an application group so the application group we have in this is the one we just created right now so I'm just going to click add and then select so now the next thing enable that next here I'll just click review plus create and now the validation has passed I will click create all right so we're basically going to W at this to create it shouldn't take much of time yes so now we've created the workspace so if we go to the workspace we see here later we're going to come back here this is one of the places where we're going to create a private endpoint connection for but before that let's go to the avd subnet so if I go to the v-net and then I go to the subnet you see this avd subnet here I'm going to create a network security group and attach it to this subnet because this is where the VMS are sitting and what I'm going to do is that I'm going to disable all out internet outbound access so network security groups click on Create and avd name avd NSG and next we plus create so this is basically going to create a network Security Group so this shouldn't take time yes it's created going to the National Security Group we see that for the outbound rules we have um to allow venet outbound rule so what I'm going to do now is I'm going to add another Rule and I would say destination service tag and the this I will set it to Virtual desktop and I would choose https for this and then it's going to be deny I'll give this 310 and add so now I've created a rule to prevent Al access to the virtual desktop the next thing is I'm going to associate this NSG to a subnet so I'll go to subnet click on associate and it's going to be associated with AV subnet click on okay and that has been saved so now that is done let's go back to the Azure V desktop so now we can see that it is still showing that it's connected to the virtual machines what I'm going to do right now is to restart the VM so that the change that we put in will kick in so now if I go to V Mach we can see that we created two VMS and these two VMS are they now have the network security group associated with it okay so if you look at the outbound rules You' see the one that we just set right now so firstly I'm going to restart this VM and then I'll also restart the second one all right it's still restarting so I'll just wait for that to be done rest starting and we will continue our our configuration so when that is done restarting the next thing that we're going to do is to go into the aure virtu desktop and then we go to the host pools select this host pool refresh the VM is still restarting so while it's doing that all we're going to do right now is to disable Public Access and use private access and then I'll just click save here all right so I'll just click save here so we can see disable Public Access use private access now the next thing is to use the to create a private endpoint still in the same resource GR group we give it avd private and point then region remains Australia EST resource connection V Network here we're going to use the avd vet to created but then we're going to select the PE suet remember I said this is going going to be used for the private endpoint and then I'll leave this as it is go to DNS I'm going to use this and then next to Tags I'm just going to leave that like that validation passed and then I'm going to create so I'm just going to wait for this to be done creating and then I would come back when it's done so the private Endo which I cre created for the host pool created successfully and what I went to do is to also create a private endpoint for the workspaces and I'll show you that so just to save time so if I go to the Azure virtual desktop you'll see that in the host pool if you click networking we now have first of all public access disabled and we have a private endpoint that has been created here and we can also see that there's a connection being established here this connection is not going through the public internet but it's going through the private link because if you saw that earlier on that I disabled outbound access or outbound traffic to the Azure virtual desktop so right now we would look at the workspaces what I went I did is to was to also disable Public Access here and and then I created a private endpoint also for this so if I click on the private endpoint I created you see that the target sub resource that this was created for is feed okay and when you're creating this you know private link solution you have to create two private endpoints for your workspace you have to create one for feed and you have to create one for Global so now I've created one for feed and I'm going to create one for Global so I'll say avd workpace PE Global and region to remains Australia East next so the t is say I've created for feed so now create for Global Network P subnet Remains the Same DNS leave it as it is next tags review create and then create so now we're just going to wait for this to be done creating and after the creation is done we have successfully now deployed our architecture where every traffic to avd has to go through the private link it has to go through private Network because from all you've seen right now You' seen that we've disabled Public Access and only said that private access should be used once this is done creating what we're going to be looking at is you know going to the virtual machine and creating another virtual machine the reason I'm creating this virtual machine is because I currently do not have a VPN setup if you have a VPN setup you can basically just set up a side to side VPN that you know that communicates with your PE subnet so the PE subnet is where your private mpoint sits so right now I'm going to create a VM sitting in the PE subnet and it's going to have only private access and then I'll also create a Bastion host which enables me to access that VM in the internal Network all right so let's do this this I'll wait for this to be done creating and then we would come back and continue to create the VM all right so we are getting there right now we've created the last private endpoint we created which we're going to create today which is the private endpoint for Global so we've created three endpoints now we've created the first one for the host spool we created one for feed and then we created one for Global so right right now um I'll go back at your virtual desktop something that we shouldn't forget and it's very important is to add your users and group to the application pool so basically your users and group are the people that are going to have access to the workspace that you create so in this case I'm just going to add myself as a user and I'm going to look for Happy Cloud Solutions and let's go with this select and then I'll signing because it's important everybody that needs to access it has to be added in the assignment section all right with that done the next thing that we're going to do is to create a virtual machine and like I said the virtual machine is going to sit in the same network with the PE subnet I'm doing this because I do not have a sorry I'm doing this because I do not have a um virtual private Network that's if VPN setup so if you do have a VPN setup all you have to do is to you know add that PE subnet route to your firewall and then you will now create a route on Azure to say let all traffic go through your P subnet all right so I'm going to create v m g um what name should I give it for a DD right yeah that's a funny name but you get the point all right we go to standard I's give it a 2019 doesn't really matter I'll give it this cuz doesn't really matter um okay I'm going to leave RDP because I'm going to go in anyways htd leave this as it is next networking like I said we're going to use the PE subnet just what we're going to use we don't need a private IP because we're going to use a Bastion host to get into this we don't need a public IP sorry so I'm going to remove this public IP we only going to use the private IP because remember we want only private access we want it to be in an internal Network so no public IP all right so with that says I'm keep this next management leave it as it is um I don't need this right now I'm just going to disable it and then review plus create and create all right we are almost there so right now when my VM is done creating I'm going to enable Bastion on the VM and then I can access the VM something else to note is for Azure virtual desktop there is a general default URL to access it and this is it so right now let me go to this link and let's see what it tells me okay I need to do my Authentication yes just to say stay safe all right it's done okay so now it's taking me to that avd workspace which I created but it's saying failed to get resources for avd workspace access is forbidden yay so now we've been able to see that Public Access is not allowed so right now when we're done creating the VM and we've created a Bastion and then we are in the same private network with the PE subnet then we will try this again and then it should work because it is not a public access all right the VM is created let's go to the resource next I'm going to create a Bastion let's do this deploy Bastion so I'm going to wait for the B hosts to be deployed successfully and we will come back shortly so right now we are almost about to be done the Bastion H has been done created and I'm just going to log in using the credentials that I used to create the VM and then connect so now what this is doing is it's going to connect me into the VM which is the VM hyphen PE for VD for avd that's the one I created to enable me be in the same um private and internal Network as the PE subnet so once this is done loading we will then try this exact URL that failed in the public um Network we're going to try it inside this eternal Network when the server has loaded up so now we just wait in the meantime I'll just copy this URL and wait for the VM to load up all right so the server is up and running now and I will just go to the edge browser and in the edge browser what I've done is to impute the URL that I copied which is this one and I click on enter it's going to require me to sign in with my credentials so I'm just going to get the credentials the signing with just hold up and I'll just use myself and I'll get this shows go back all right all right so I'm in now Moment of Truth and voila we can see that the session host is visible for us who are in the internal network but if you go outside internal Network that's the public IP Public Access you won't be able to see the workspace you won't be able to see any of the session host so like you saw here it's going to show you access is forbidden from this network but when you do it inside internal Network whether you're on a VPN whatever Network that you have you know configured to allow access through your P subnet then you'll be able to access your session host so now all you have to do is to click it go into the session host log into the session host the credentials that you use to create the VMS and that should work so basically the points that we try to prove here is to show that you can actually configure private access to your Azure virtual desktop and protect it from malicious users so I hope you were able to get a thing or two and also implement this into your environment you can leave a comment below if you have any questions and I'll be ready to answer them thank you if you want to see more of these videos you can subscribe to Happy Cloud Solutions YouTube channel and also if you want to learn more about Azure or you have a project that you need assistance with Happy Cloud solution is always available and more than ready to help you just reach out to us at www.happy Clouds solutions.com and you can always contact us through the forms that are made available on the website thank you see you later

Info

Channel: Harpy Cloud Solutions

Views: 2,629

Rating: undefined out of 5

Keywords: Harpy Cloud Solutions, HCS, Azure Virtual Desktop, Private Access, Private Link, How to create a private connection to Azure Virtual Desktop (AVD), how to create network security group, how to create a bastion host, Multi-session, Create Private Endpoint, Disable public access to AVD workspace, Create a VM in an Internal Network, Create a VNet, Subnet, azure virtual desktop demo, windows virtual desktop

Id: rhauF6vitt4

Channel Id: undefined

Length: 27min 47sec (1667 seconds)

Published: Sat Oct 28 2023