Windows 365 is a cloud-based service that lets users connect through the internet from any device, from any place, to a Windows Desktop running in Azure. To support these internet connections, you must follow the networking requirements listed below.
Each customer has its specific requirements based on the workload they use to pre-calculate the network requirements of their Cloud PC environment.
This article only applies if you plan on provisioning Cloud PCs on your own Azure virtual network, as opposed to a Microsoft-hosted network.
General network requirements
To use your own network and provision Azure Active Directory (Azure AD) joined Cloud PCs, you must meet the following requirements:
- Azure virtual network: You must have a virtual network (vNET) in your Azure subscription in the same region as where the Windows 365 desktops are created.
- Network bandwidth: See Azure’s Network guidelines.
- A subnet within the vNet and available IP address space.
To use your own network and provision Hybrid Azure AD joined Cloud PCs, you must meet the above requirements, and the following requirements:
- The Azure virtual network must be able to resolve DNS entries for your Active Directory Domain Services (AD DS) environment. To support this resolution, define your AD DS DNS servers as the DNS servers for the virtual network.
- The Azure vNet must have network access to an enterprise domain controller, either in Azure or on-premises.
Allow network connectivity
You must allow traffic in your Azure network configuration to the following service URLs and ports:
- Network endpoints for Microsoft Intune
- Azure Virtual Desktop required URL list
- Provisioning and Azure network connection endpoints:
- Cloud PC communication endpoints*
- Registration endpoints
- global.azure-devices-provisioning.net (443 & 5671 outbound)
- hm-iot-in-prod-preu01.azure-devices.net (443 & 5671 outbound)
- hm-iot-in-prod-prap01.azure-devices.net (443 & 5671 outbound)
- hm-iot-in-prod-prna01.azure-devices.net (443 & 5671 outbound)
- hm-iot-in-prod-prau01.azure-devices.net (443 & 5671 outbound)
* The CMD Agent is required for the Windows 365 service. It performs core infrastructure functions such as domain join, initial config setup, data monitoring, and remediation.
All endpoints connect over port 443.
Remote Desktop Protocol (RDP) broker service endpoints
Direct connectivity to Azure Virtual Desktop RDP broker service endpoints is critical for remoting performance to a Cloud PC. These endpoints affect both connectivity and latency. To align with the Microsoft 365 network connectivity principles, you should categorize these endpoints as Optimize endpoints. We recommend that you use a direct path from your Azure virtual network to those endpoints.
To make it easier to configure network security controls, use Azure Virtual Desktop service tags to identity those endpoints for direct routing using an Azure Networking User Defined Route (UDR). A UDR will result in direct routing between your virtual network and the RDP broker for lowest latency. For more information about Azure Service Tags, see Azure service tags overview.
Changing the network routes of a Cloud PC (at the network layer or at the Cloud PC layer like VPN) might break the connection between the Cloud PC and the Azure Virtual Desktop RDP broker. If so, the end user will be disconnected from their Cloud PC until a connection be re-established.
As part of the Hybrid Azure AD Join requirements, your Cloud PCs must be able to join on-premises Active Directory. That requires that the Cloud PCs be able to resolve DNS records for your on-premises AD environment.
Configure your Azure Virtual Network where the Cloud PCs are provisioned as follows:
- Make sure that your Azure Virtual Network has network connectivity to DNS servers that can resolve your Active Directory domain.
- From the Azure Virtual Network's Settings, select DNS Servers and then choose Custom.
- Enter the IP address of DNS servers that environment that can resolve your AD DS domain.
Adding at least two DNS servers, as you would with a physical PC, helps mitigate the risk of a single point of failure in name resolution.
For more information, see configuring Azure Virtual Networks settings.
Remote Desktop Protocol requirements
Windows 365 uses the Remote Desktop Protocol (RDP).
|Scenario||Default mode||H.264/AVC 444 mode||Description|
|Idle||0.3 Kbps||0.3 Kbps||User has paused their work and there are no active screen updates.|
|Microsoft Word||100-150 Kbps||200-300 Kbps||User is actively working with Microsoft Word: typing, pasting graphics, and switching between documents.|
|Microsoft Excel||150-200 Kbps||400-500 Kbps||User is actively working with Microsoft Excel: multiple cells with formulas and charts are updated simultaneously|
|Microsoft PowerPoint||4-4.5 Mbps||1.6-1.8 Mbps||User is actively working with Microsoft PowerPoint: typing, pasting, modifying rich graphics, and using slide transition effects.|
|Web Browsing||6-6.5 Mbps||0.9-1 Mbps||User is actively working with a graphically rich website that contains multiple static and animated images. User scrolls the pages both horizontally and vertically|
|Image Gallery||3.3-3.6 Mbps||0.7-0.8 Mbps||User is actively working with the image gallery application: browsing, zooming, resizing, and rotating images|
|Video playback||8.5-9.5 Mbps||2.5-2.8 Mbps||User is watching a 30 FPS video that consumes 1/2 of the screen.|
|Fullscreen Video playback||7.5-8.5 Mbps||2.5-3.1 Mbps||User is watching a 30 FPS video that’s maximized to a full screen.|
Microsoft Teams requirements
Microsoft Teams is one of the core Microsoft 365 services within Cloud PC. Windows 365 offloads the audio and video traffic to your endpoint to make the video experience like Teams on a physical PC.
The network quality is important per scenario. Make sure that you have the proper bandwidth available for the quality that you want to offer.
Full HD (1920x1080p) isn’t a supported resolution for Microsoft Teams on Cloud PCs.
|30 kbps||Peer-to-peer audio calling.|
|130 kbps||Peer-to-peer audio calling and screen sharing.|
|500 kbps||Peer-to-peer quality video calling 360p at 30 fps.|
|1.2 Mbps||Peer-to-peer HD quality video calling with resolution of HD 720p at 30 fps.|
|500kbps/1Mbps||Group Video calling.|
Traffic interception technologies
Some enterprise customers use traffic interception, SSL decryption, deep packet inspection, and other similar technologies for security teams to monitor network traffic. Cloud PC provisioning may need direct access to the virtual machine. These traffic interception technologies can cause issues with running Azure network connection checks or Cloud PC provisioning. Make sure no network interception is enforced for Cloud PCs provisioned within the Windows 365 service.
Windows 365 uses the Azure network infrastructure. An Azure subscription is required when a virtual network is selected while deploying Windows 365 Enterprise. Bandwidth charges for Cloud PC usage include:
- Network traffic into a Cloud PC is free.
- Outbound (egress) traffic incurs charges against the Azure subscription for the virtual network.
- Office data (like email and OneDrive for Business file sync) incurs egress charges if the Cloud PC and a user’s data reside in different regions.
- RDP networking traffic always incurs egress charges.
If you bring your own network, see Bandwidth pricing.
If you use a Microsoft-hosted network: Outbound data/month is based on the RAM of the Cloud PC:
- 2-GB RAM = 12-GB outbound data
- 4-GB or 8-GB RAM = 20-GB outbound data
- 16-GB RAM = 40-GB outbound data
- 32-GB RAM = 70-GB outbound data
Data bandwidth may be restricted when these levels are exceeded.
Submit and view feedback for