Это видео недоступно.
Сожалеем об этом.
1 Azure Setting You Should Change NOW!!!
HTML-код
- Опубликовано: 16 авг 2024
- Azure Virtual Desktop Private Link enables customers to access Azure PaaS Services a private endpoint in their virtual network. This gives you more control over routing, security and access to your AVD environment.
🔥AFTER THIS 👉 • They Don't Want You To... 👈
▬▬▬▬▬▬ C H A P T E R S 📲 ▬▬▬▬▬▬
0:00 Secure Azure Virtual Desktop with Private Endpoints
1:06 AVD Private Endpoints Explained
2:43 Private Session Host Scenario
5:40 Fully Private Scenario
6:50 Virtual Desktop Global Endpoint
8:00 Virtual Desktop Connectivity
8:29 Wrap Up
▬▬▬▬▬▬ R E S O U R C E S 📡 ▬▬▬▬▬▬
► AVD PrivateLink Docs: learn.microsof...
► Preview Portal Link: portal.azure.c...
▬▬▬▬▬▬ S U P P O R T 💰 ▬▬▬▬▬▬
► Become a Learner TODAY: tinyurl.com/Az...
► Twitter: / msazureacademy
► LinkedIn: / dean-cefola-2902934b
#TheAzureAcademy #AzureVirtualDesktop #AVDSecurity
"IF YOU LIKE ME" 😁🤣😂 NOBODY CAN BE LIKE YOU ... SUPER FUNNY, SUPER TECHY FAST TRACK SUPERMAN 🤩😁
🤦♂️😁😬🤦♂️
Outstanding video with great presentation. As always, David, you are amazing. I love it. This is very helpful information you have shared with us. Thanks a lot.
Thanks for watching and glad it was helpful! 👍
AVD network policy ❤
Thanks!
Thanks for that video Dean ! Already tested with an Azure VPN P2S client :)
Awesome!
As always, you are very friendly. Thank you for sharing the video.
Anytime!
...and oscar goes to.... Dean! :)
🏆 I’d like to thank the Academy for their consideration and thank you for watching! ☺️
Much appreciated content, as always. Thanks Dean!
Any time
Thanks Dean. Could you do overview of upcoming CBA. Is it a possibility to ditch onprem adfs?
Since there are SO MANY acronyms...what is CBA??? When you say ditch ADFS...I assume you mean no longer federate with Azure...YES that is 100% possible as long as you know what you are using ADFS for with Azure so you know what native options you have to replace them, or live without them.
Amazing video. Thanks a lots, but after watched the video lots of times I still have douts with PEP in global sense. Example: I have couples of networks, each one with 2 more subnets (one for pool and other for pep). In RG1 I have VNET1 one hostpool and workspace. In other hand, I have RG2 with VNET2 one hostpool and 1 workspace. In RG2 I've configured pep type connection, pep feed and pep Global in RG2. If I understood the video, I can delete the pep Global or the hostpool or the workspace in RG2 because the VNET1 and VNET2 are in different networks and not peered and rest of workspaces and polls still working. I'm right? What happen in case I already setup a global pep in a workspace and I don't need it any more? Must I recreate rest of workspaces? Thanks a lost in advance.
Thanks for watching! The SINGLE global Workspace endpoint will work for all networks that are peered together. But if you have un-peered virtual networks where AVD is being used...that will need its own Global endpoint. Does that help?
@@AzureAcademy yes!!!!!! now it's all clear. Thanks a lot.
Anytime!
Thanks a lot for making such great videos, Just one question with VPN setup do i need to configure DNS forwarders ?
If you are doing the whole process to have clients on the private link AND they are not in the office, then YES they need a VPN but the DNS Forwarder are only needed if you need to reach azure files private endpoints or on prem DNS Resolution
Thank you for replying @AzureAcademy. I have configured this in my clients environment but its still resolving to public ip, i created a vm in the same vnet as my avd and private endpoint and its unable to access the workspace in remote client. Do you know what troubleshoot i can do to resolve this. I have one Azure firewall deployed but i have opened all outbound ports from it
Here is the troubleshooting guide: learn.microsoft.com/en-us/azure/private-link/troubleshoot-private-endpoint-connectivity
Hi, are you able to expand on what the exact security benefits are? From what I can tell without this enabled session hosts will talk to the AVD gateways over the 'public' network but never actually leave Microsoft's network.
Latency/performance improvements I can absolutely believe and maybe it's cheaper to send RDP data over a private endpoint than out via a firewall but I'm just not seeing what makes it more secure.
Apologies if I'm missing something obvious! And thanks for the video, very useful.
No worries Alex, it is a great question. The biggest security benefit is concerning Data Exfiltration and isolation. Standard AVD Reverse Connect or RDP ShortPath DOES send the connection out of you vnet to the Azure service, public internet addresses. YES it does hairpin the traffic but technically it does go to the internet endpoint of the AVD Gateway.
So by making the connection use a private ip on your vnet then tunnel the traffic to the private endpoint of the gateway exfil is not a concern. If you additionally use client private endpoints this also increases security
BUT you need to have a large enough pipe for your client VPN so you do not choke your connection off and impact performance
Please let me know if that helps clear it up ☺️
@@AzureAcademy Thanks for the response! That clears things up greatly.
I think I'll be using this once shortpath is supported and it's out of preview ☺️
awesome, let me know how it goes!
Good video as always!
Glad you enjoyed!
Watched 4 times now Dean and head feels like its been through a mulcher LOL, so many questions!! My understanding is that RDP shortpath works over express route so as my session hosts are in a spoke vnet they should connect back to on prem clients via expressroute so no need for private endpoint - is that correct? As i have clients both externally and internally it would be better to create two workspaces, one for internal and one external but this global sub resource thing is worrying me so going to research that more. Also how do internal clients resolve the rdweb.wvd...feed discovery url internally? is some dns magic required to point it to one of the private endpoints?
There are 2 sides to connectivity the AVD service then AD or Azure AD auth to the session hosts. If you want EVERYTHING to go over the express route then you need AVD private end points. The real question is…WHY? What is the major benefit to you if that traffic goes over express route or the internet?
If you users are all in the office this can make sense, but if they are in a coffee shop…then you would need them to VPN in, so they can get an IP that can connect them over the express route. This will cost them bandwidth, and add hops which adds latency.
@@AzureAcademy i have two user types - external contractors logging in from maccas and internal users (security want there traffic kept internal) so i guess i want my cake and eat it. Am i correct in thinking this is an either-or option and we can't have both? Thanks for your time and responses on this Dean, its much appreciated..
We you CAN have both…but NOT in the same pool. If you had 1 pool for internal folks they can setup the AVD private endpoint and keep everything internal. Then you build a different pool for external users that does NOT use private endpoints so they would be forced externally. You could make a further separation by building the external pool in a DMZ network as well to keep all the session host traffic isolated too 🎂🍰 enjoy your cake ☺️
@@AzureAcademy Cheers Dean - i love cake!!
☺️
Sir What host entry we need to add in our pc if we are using P2s vpn to connect amd access Avd . Because m able to access from machine in the same subnet but not able to access from my machine vpn is also conneted looks like i need to add hostfile entry please advise which entry we have to add ip and fqdn also please advise Thanks in advance
Sounds like you can connect to AVD without the P2S VPN but you can’t connect with the VPN…is that right?
Are the VPN subnet and your AVD session hosts subnet within the same virtual network?
If not, are the networks peered?
@@AzureAcademy Sir Virtual network is same in different subnet . M able to access avd from other machine in same network but not able to access from VPN may be I need to add host file entry what values I have to add in host file please help
No host files are needed to get to the VMs. The problem sounds like your peering, routing or network security is not setup to allow the VPN subnet to get to the hosts
Avd network policy
Got it...Thanks!
Thank You
You're welcome
is global endpoint essential?
Yes it is
ADV network please
Thanks Joseph!
Brain Expansion :)
Thanks Nigel!