Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This tutorial guides you through creating the Azure Enclave environment for Azure Virtual Desktop and Azure Kubernetes Service (AKS) workloads. You set up common dependencies, create separate enclaves with properly sized subnets, deploy private DNS zones, and configure community and enclave endpoints for network connectivity.
In this tutorial, you learn how to:
- Set up common dependencies (managed identity, Key Vault, encryption)
- Create Azure Virtual Desktop enclave with management and session host subnets
- Create AKS enclave with node, API server, and private endpoint subnets
- Deploy and link private DNS zones
- Create community endpoints for external connectivity
- Create enclave endpoints and connections for inter-enclave communication
Prerequisites
- Understanding of Tutorial 2-1: Plan your architecture
- Contributor access to the resource group containing the community
- Contributor access to the subscription for creating resources
Before you begin
This tutorial assumes you have:
- An existing community deployed from Tutorial 1
- Planned your architecture including subnet sizes (see Tutorial 2-1)
- Identified the Azure region for your enclaves
Important
This tutorial uses placeholder names. Replace myResourceGroup, fabrikam, avd-enclave, aks-enclave, etc. with your own naming convention.
Set up common dependencies
Both Azure Virtual Desktop and AKS workloads require common dependencies for encryption and security. This section provides detailed steps to create these shared resources. These steps can be referenced from other tutorials when setting up encryption and security.
Create a shared services workload
First, create a workload in your existing enclave (or create a new enclave) to host shared services.
- In the Azure portal, navigate to your Azure Enclave service.
- Select Communities and open your community (for example,
fabrikam). - Select an existing enclave or create a new shared services enclave:
- Enclave name:
shared-services - Address space:
10.1.0.0/16(adjust based on your community IP address range) - Configure a subnet for shared resources:
SharedServicesSubnetwith/24IP address range
- Enclave name:
- In the enclave, select
Workloads>+ Create. - Configure the workload:
- Workload name:
shared-workload - Create resource group: Select
Create new - Resource group name:
rg-shared-services
- Workload name:
- Select
Review + createand thenCreate.
Create common dependency resources
Add required dependency resources to your workload:
- A managed identity provides an identity for Azure resources to authenticate without storing credentials.
- Azure Key Vault stores encryption keys, secrets, and certificates securely.
- The customer-managed key encrypts data at rest in your workloads.
- The disk encryption set applies the customer-managed key (CMK) based encryption to Virtual Machine (VM) disks.
- In the Azure portal, search for your shared services workload name
- Select
+Add An Azure Service. - Select
Common Dependencyfrom the dropdown list, verify the selected resource group, and selectNext. - Configure the resources:
- Key Vault Name: Provide a unique Key Vault name
kv-ave-shared-<uniqueid> - CMK Key Name: Provide a CMK name like
cmk-ave-encryption - User Assigned Managed Identity Name: Provide a managed identity resource name like
id-ave-encryption - Identity Type: Select
UserAssignedin the drop-down. - Disk Encryption Set Name:
des-ave-encryption
- Key Vault Name: Provide a unique Key Vault name
- Select
Review + createand thenCreate. - After deployment completes, navigate to the managed identity.
Grant managed identity access to Key Vault key
The managed identity needs permission to use the encryption key.
- In your Key Vault, select
Access control (IAM). - Select
+ Addthen selectAdd role assignment. - On the
Roletab:- Search for and select
Key Vault Crypto Service Encryption User - Select
Next
- Search for and select
- On the
Memberstab:- Select
Managed identity - Select
+ Select members - Select
User-assigned managed identityfor the Managed identity - Select your managed identity:
id-ave-encryption - Select
Select - Select
Next
- Select
- On the
Review + assigntab, selectReview + assign.
Grant managed identity access to enclave resources
For Azure Enclave-managed resources, the identity needs contributor access.
- Navigate to your shared services enclave managed resource group (for example,
shared-services-HostedResources-<guid>). - Select
Access control (IAM). - Select
+ Addthen selectAdd role assignment. - Assign the
Contributorrole:- Role:
Contributor - Assign access to:
Managed identity - Members: Select your managed identity
id-ave-encryption
- Role:
- Select
Review + assign.
Validate common dependencies
Verify all resources are created and configured correctly:
- User Assigned Managed Identity
id-ave-encryptioncreated - Key Vault
kv-ave-shared-<uniqueid>created - Customer Managed Key
cmk-ave-encryptioncreated in Key Vault - Managed identity has
Key Vault Crypto Service Encryption Userrole on the key - Disk Encryption Set
des-ave-encryptioncreated and linked to key and identity - Managed identity has
Contributorrole on enclave managed resource group
Create Azure Virtual Desktop enclave
Now create a dedicated enclave for Azure Virtual Desktop workloads.
- In your community (for example,
fabrikam), selectEnclaves>+ Create. - Configure the Azure Virtual Desktop enclave:
- Enclave name:
avd-enclave - Region: Same region as your community
- Address space:
10.2.0.0/16
- Enclave name:
- Select
Next: Subnets. - Add the management subnet:
- Select
+ Add subnet - Subnet name:
AzureVirtualDesktopManagementSubnet - Subnet address range:
10.2.1.0/24 - Add Network Security Group: Select
Add new - Network Security Group name:
nsg-avd-management - Select
OK
- Select
- Add the session hosts subnet:
- Select
+ Add subnet - Subnet name:
AzureVirtualDesktopSessionHostsSubnet - Subnet address range:
10.2.2.0/24 - Add Network Security Group: Select
Add new - Network Security Group name:
nsg-avd-sessionhosts - Select
OK
- Select
- Select
Review + createand thenCreate.
Note
Enclave deployment takes 30-45 minutes. You can continue to plan the AKS enclave during deployment.
Create AKS enclave
Create a dedicated enclave for Azure Kubernetes Service workloads.
- In your community, select
Enclaves>+ Create. - Configure the AKS enclave:
- Enclave name:
aks-enclave - Region: Same region as your community
- Address space:
10.3.0.0/16
- Enclave name:
- Select
Next: Subnets. - Add the node subnet:
- Select
+ Add subnet - Subnet name:
aksSubnet - Subnet address range:
10.3.1.0/25(128 IPs) - Add Network Security Group: Select
Add new - Network Security Group name:
nsg-aks-nodes - Subnet delegation:
None(no delegation for AKS node subnet) - Select
OK
- Select
- Add the API server subnet:
- Select
+ Add subnet - Subnet name:
agentSubnet - Subnet address range:
10.3.1.128/28(16 IPs) - Add Network Security Group: Use existing
nsg-aks-nodes - Subnet delegation:
None - Select
OK
- Select
- Add the private endpoint subnet:
- Select
+ Add subnet - Subnet name:
AzureVirtualEnclaveSubnet - Subnet address range:
10.3.2.0/26(64 IPs) - Add Network Security Group: Use existing
nsg-aks-nodes - Subnet delegation:
None(important: no delegation for private endpoints) - Select
OK
- Select
- Select
Review + createand thenCreate.
Important
Wait for both enclave deployments to complete before proceeding to the next steps.
Deploy private DNS zones
Private DNS zones enable private endpoint DNS resolution for Azure services.
Create private DNS zones for Azure Virtual Desktop
- Navigate to your Azure Virtual Desktop enclave (
avd-enclave). - Select
Workloadsthen select+ Create. - Create a workload:
- Workload name:
avd-workload - Create resource group:
Create new - Resource group name:
rg-avd-workload
- Workload name:
- In the workload, select
+ Add an Azure Service. - Select
Private DNS Zonesfrom the dropdown list, verify the selected resource group, and selectNext. - Configure the Private DNS Zones deployment:
- Create storage file Private DNS Zone:
true - Create storage queue Private DNS Zone:
true - Create storage table Private DNS Zone:
true - Create storage blob Private DNS Zone:
true - Create Key Vault Private DNS Zone:
true - Additional Private DNS Zone Names:
["privatelink.wvd.microsoft.com","privatelink-global.wvd.microsoft.com"]
- Create storage file Private DNS Zone:
- Select
Review + Createand thenCreate. - Wait for the deployment to complete.
Create private DNS zones for AKS
- Navigate to your AKS enclave (
aks-enclave). - Select
Workloadsthen select+ Create. - Create a workload:
- Workload name:
aks-workload - Create resource group:
Create new - Resource group name:
rg-aks-workload
- Workload name:
- In the workload, select
+ Add an Azure Service. - Select
Private DNS Zonesfrom the dropdown list, verify the selected resource group, and selectNext. - Configure the Private DNS Zones deployment:
- Create storage file Private DNS Zone:
true - Create storage queue Private DNS Zone:
true - Create storage table Private DNS Zone:
true - Create storage blob Private DNS Zone:
true - Create Key Vault Private DNS Zone:
true - Additional Private DNS Zone Names:
["privatelink.<region>.azmk8s.io"]and replace<region>with your region, for example,eastus
- Create storage file Private DNS Zone:
- Select
Review + Createand thenCreate. - Wait for the deployment to complete.
Create community endpoints for external connectivity
Community endpoints allow traffic from your enclaves to external Azure services and the internet.
Create Azure Virtual Desktop community endpoint
Navigate to your community (for example,
fabrikam).Select
Community endpointsthen select+ Create.Configure the endpoint:
- Name:
ce-avd-services - Description:
Azure Virtual Desktop required service endpoints
- Name:
Select
Add ruleand configure each required endpoint:Rule 1: AVD Control Plane
- Name:
avd-control-plane - Destination:
*.wvd.microsoft.com,*.prod.warm.ingest.monitor.core.windows.net - Protocol:
HTTPS - Port:
443
Rule 2: Authentication
- Name:
authentication - Destination:
login.microsoftonline.com,login.windows.net - Protocol:
HTTPS - Port:
443
Rule 3: Azure Resource Manager
- Name:
arm - Destination:
management.azure.com - Protocol:
HTTPS - Port:
443
Rule 4: Agent Updates
- Name:
agent-updates - Destination:
mrsglobalstb2prod.blob.core.windows.net,gcs.prod.monitoring.core.windows.net - Protocol:
HTTPS - Port:
443
Rule 5: Guest Configuration
- Name:
guest-config - Destination:
*.guestconfiguration.azure.com - Protocol:
HTTPS - Port:
443
- Name:
Select
Review + createand thenCreate.
Create AKS community endpoint
In your community, select
Community endpointsthen select+ Create.Configure the endpoint:
- Name:
ce-aks-services - Description:
AKS required service endpoints
- Name:
Select Add rule and configure each required endpoint:
Rule 1: Container Registry
- Name:
mcr - Destination:
mcr.microsoft.com,*.data.mcr.microsoft.com - Protocol:
HTTPS - Port:
443
Rule 2: Cluster Management
- Name:
aks-management - Destination:
*.hcp.<region>.azmk8s.io(replace<region>with your region, for example,eastus) - Protocol:
HTTPS - Port:
443
Rule 3: Azure Resource Manager
- Name:
arm - Destination:
management.azure.com - Protocol:
HTTPS - Port:
443
Rule 4: Authentication
- Name:
authentication - Destination:
login.microsoftonline.com - Protocol:
HTTPS - Port:
443
Rule 5: Package Repository
- Name:
packages - Destination:
packages.microsoft.com,acs-mirror.azureedge.net - Protocol:
HTTPS - Port:
443
- Name:
Select
Review + createand thenCreate.
Create enclave endpoints and connections
Enclave endpoints and connections enable communication between enclaves for accessing shared services.
Create enclave endpoint for shared services
Navigate to your Shared Services Enclave (
shared-services).Select
Enclave endpointsthen select+ Create.Configure the endpoint:
- Name:
ee-shared-services - Description:
Allow access to shared Key Vault and monitoring
- Name:
Add rules for shared services:
Rule 1: Key Vault
- Name:
key-vault - Protocol:
HTTPS - Port:
443 - Source IP/CIDR:
10.2.0.0/16,10.3.0.0/16(Azure Virtual Desktop and AKS enclave IP address ranges)
Rule 2: DNS
- Name:
dns - Protocol:
TCP - Port:
53 - Source IP/CIDR:
10.2.0.0/16,10.3.0.0/16
- Name:
Select
Review + createand thenCreate.
Create enclave connections
Create enclave connections to link the enclaves together.
Navigate to your Azure Virtual Desktop enclave (
avd-enclave).Select
Enclave connectionsthen select+ Create.Configure the connection:
- Name:
conn-avd-to-shared - Source enclave:
avd-enclave(current) - Destination enclave endpoint: Select
ee-shared-servicesfrom shared services enclave
- Name:
Select
Review + createand thenCreate.Repeat for AKS enclave:
- Navigate to the AKS enclave (
aks-enclave) - Create connection
conn-aks-to-sharedtoee-shared-services
- Navigate to the AKS enclave (
Validate the environment
Verify that your environment configuration:
- Common dependencies deployed in shared services workload
- Azure Virtual Desktop enclave created with management and session hosts subnets
- AKS enclave created with node, API server, and private endpoint subnets
- Private DNS zones deployed and linked to enclaves
- Community endpoints created for Azure Virtual Desktop and AKS external connectivity
- Enclave endpoints created for shared services
- Enclave connections created from Azure Virtual Desktop and AKS to shared services
Next steps
With your Azure Enclave environment configured correctly, you're ready to deploy workloads. The next tutorial guides you through deploying Azure Virtual Desktop.