For anyone who is trying to achieve the following scenario, I am describing the end-to-end setup steps so that they don't waste time figuring things out like I did.
Scenario: Access Azure Virtual Desktop using Private Link from Point-2-Site VPN(or Site-to-Site VPN) that uses Azure Entra ID authentication and SSO
You will need the following resources:
- VNet with different subnets (AVD HostPool, PrivateEndpoints, Gateway)
- AVD HostPool and PrivateEndpoints subnets created with no outbound connectivity
- Gateway Subnet is automatically created
- Expose the Service Endpoint for Azure Active Directory in subnets
- NSG blocking 443 Outbound attached on AVD HostPool Subnet
- This will block internet traffic from AVD. Tune as per your requirements
- VPN Gateway with Point-to-Site Connection configurations done.
- Add the VNet CIDR in "Advertised Route" in P2S configuration.
- I used Azure Public value as "41b23e61-6c1e-4545-b367-cd054e0ed4b4"
- Add the VNet CIDR in "Advertised Route" in P2S configuration.
- Azure Virtual Desktop Host Pool
- Create Private Endpoint and Disable all Public Access on the HostPool
- In Microsoft Entra ID SSO, select "Connections will use Entra ID SSO"
- Azure Virtual Desktop Application Group
- Azure Virtual Desktop Workspace
- Create Private Endpoints (Global and Feed) and Disable Public Access from all networks
- DNS Private Zones will be created for AVD HostPool Private Endpoint and AVD Workspace Private Endpoint (Global) automatically. Don't change config here.
- DNS Private Resolver (Inbound Endpoint)
- Create additional subnet with /28 CIDR for this in the same VNet.
- Use the Inbound IP that gets allocated in Private Resolver as Custom DNS in VNet
- Once all this configuration is completed, install Azure VPN Client and Microsoft Remote Desktop app on your laptop (Windows/Linux/Mac)
- Download the VPN config from P2S config blade in VPN Gateway.
- Open azurevpnconfig.xml file and add following config there.
- Save and Import this profile into Azure VPN Client installed and try to connect using your Entra ID credentials.
- Once connected, use "nslookup" to check if https://rdweb.wvd.microsoft.com or https://client.wvd.microsoft.com resolves to Private IP.
- If yes, use that URL to add workspace in your Microsoft Remote Desktop app and you should be able to connect there. Please let me know incase you need additional information to get this work.