WVD inbound IP address restrictions

Question

How can I control which IP addresses can connect to my Windows Virtual Desktop (ARM) VMs? Can I configure it so that WVD is available only from within a VNet, including clients connected via point-to-site VPN?

Answer 1

@Thomas Mueller Thank you for your query.You can achieve the mentioned ask using Conditional Access Policy in Azure.

You need to have a P1 or P2 license in Azure so that Conditional Access Policy functionality works for you.
Then you need to have atleast Conditional Access Admin permission over the directory.
Security Admin and Global Admin roles also can perform the mentioned ask on directory.

Follow the below steps to create Conditional Access Policy :

• Sign in to the Azure portal as a global administrator, security administrator, or Conditional Access administrator.
• Browse to Azure Active Directory > Security > Conditional Access.
• On the Conditional Access page, select Named locations and select New location.
• Fill out the form on the new page. 1) In the Name box, type a name for your named location. 2)In the IP ranges box, type the IP range in CIDR format. 3)Click Create. Note: You need to add the IP ranges here which you want to allow access to WVD.
• Browse to Azure Active Directory > Security > Conditional Access.
• Select New policy.
• Give your policy a name. We recommend that organizations create a meaningful standard for the names of their policies.
• Under Assignments, select Users and groups.
• Under Include, Select users and groups > Users and groups > Choose the users or group for whom you want to apply this Conditional Access policy on.
• Select Done.
• Under Cloud apps or actions > Include, select Select apps.
• Select one of the following groups of apps based on which version of Windows Virtual Desktop you're using.
• If you're using Windows Virtual Desktop (classic), choose these two apps:
  Windows Virtual Desktop (App ID)
  Windows Virtual Desktop Client (App ID)
• If you're using Windows Virtual Desktop, choose these two apps instead:
  Windows Virtual Desktop (App ID)
  Windows Virtual Desktop Client (App ID) -Once you've selected your app, choose Select, and then select Done.
• Under Condition > Select Locations > Toggle Configure to Yes >Include > All Trusted Location
• Under Access controls > Grant, select Grant access, Require multi-factor authentication(or any other option as per requirement) and then Select.
  Note:You either need to configure Grant or Session Control to create the policy.
• Confirm your settings and set Enable policy to On.
• Select Create to enable your policy. Hope it helps.

Do let me know in case of any more queries.

Please 'Accept as answer' if it helped, so that it can help others in the community looking for help on similar topics

Answer 2

Iam having a similar issue, can someone provide some suggestions? We have multiple wvd host pools today, one of them let's call is is "mainsite pool"

we have setup an AD group called mainsite users and assigned that group to access this wvd host pool

what we now want to do is ensure these mainsite users can not login from anywhere else but the main site?

we have a vpn tunnel from azure to the main site. i've created a policy with 10.0.0.0/16 (the local subnet of the mainsite)

what do we do from here to ensure mainsite users can not login to WVD from home or anywhere else? i basically want to say members of this group can only access this host pool from this site.

Answer 3

this above part is confusing: we dont have any requirements we just need to limit access to the given wvd host pool to the local LAN only.

"Under Access controls > Grant, select Grant access, Require multi-factor authentication(or any other option as per requirement) and then Select"