Azure-docs: Public IPs generated for the Windows Virtual Desktop session hosts

@rhythmnewt Thank you for your feedback! We will review and provide an update as appropriate.

@ChristianMontoya Can you please share your insights on the customer's question? Thankls :)

How are the public IPs generated for the Windows Virtual Desktop session hosts? We have a requirement to lock down some of the access by IP, so would need to have a white-list.

@ChristianMontoya Did you get a chance to take a look at this customer's question? Thanks :)

@rhythmnewt : Our templates do not create any public IP addresses for the VMs, primarily because you do not need to open any inbound ports on the VMs to set up connections. All connections are created outbound from the session host VM to the Windows Virtual Desktop service.

In this way, you shouldn't need to create any public IP addresses for the virtual machines. But, if you do create them (for troubleshoot or image testing purposes), you can create those and that would be in your direct control.

@ChristianMontoya Hi Christian, thanks for your reply. What I'm looking for is a set of IPs that the Windows Virtual Desktop service uses. I have a set of web-based applications that will be running in-browser on WVD that I need to be locked down by IP address (so that they cannot be accessed from home, for example) and for that I need to know WVD service IPs to white-list.

Otherwise, just like you said, I would have to create public IPs for each of my VMs, make sure they're static, etc.

Does this make more sense?

@rhythmnewt : The scenario definitely makes sense, but I do want to add some clarity. To confirm, the intent is that these web applications can only be accessed from the published browser running as part of WVD, correct? If that's the case, the connections to those web applications are actually coming from your session host VMs in Azure, not the WVD service.

@ChristianMontoya Yes, that is correct. These web applications should only be accessed from the published browser. Then does this mean that I must provision public IPs for each of my session host VMs in order to know what they are?

@rhythmnewt : I have not tested this specifically, but it should look like this scenario: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#lb . So basically, create a load balancer, create/assign a public IP address, add the vms to it. You will also need to add an Outbound rule for 443 so our agent can talk to the service or use HTTPS outbound in general.

@ChristianMontoya wouldn't load-balancing the VMs manually interfere with session host load balancing?

@rhythmnewt : Nope, shouldn't interfere, primarily because load balancing happens internally through the service, decides which VM to talk to, then reaches out to that VM to start an Outbound connection to the service for the end-user connection. It would most probably interfere if the connection was inbound into the load balancer (but is not the case here).

@ChristianMontoya thanks, we'll look into setting it up this way

@rhythmnewt I'm curious how this turned out for you. We are in a similar situation with an app that only allows access from certain IPs. We have 47 hosts in our WVD pool. All are currently using the same Public IP it seems, but we did not assign it and I'm worried about it changing.

Scenario 2 in the article below suggests the IP is assigned to the Set for life and it wont change so long as the Set is never removed. Which I am fine with since I don't plan ever plan to remove it.

https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections#lb