Applies to: Nerdio for Azure (NFA)
How do I assign a static outbound IP to RDS collections or WVD pools?
By default, outbound internet connectivity from a VM in Azure come out of a dynamic pool of IP addressed maintained by Microsoft in a specific Azure region. This means that anytime you browse the internet the source IP will be different. In certain situation you may want to have a static IP address that can be whitelisted by some websites that your users visit (e.g. payroll provider).
With standard Azure VMs this is easily accomplished by assigned a static public IP address to the VM. In Nerdio Admin Portal go to Network>Firewall, scroll down to the bottom of the page and add or manage static IP addresses.
You can assign a static public IP address to any VM, including VDI and personal desktops as well as individual RDS session hosts. Static IP addresses are already assigned to some of the system servers, by default. Note that assigning a static IP does NOT expose the VM to the internet without an explicit firewall (NSG) rule for inbound connectivity. However, it does always use this IP address as the source when browsing the internet.
Adding a static public IP has small cost implications in Azure. Please review Microsoft documentation for more detail.
Problem: RDS collections and WVD desktop pools leverage Azure VM scale sets, which consist of non-persistent VM instances. These individual instances (RDS and WVD hosts) get re-created frequently - often daily. As a result, it is not possible to assign a static IP to an individual RDS or WVD host instance.
This article demonstrates how to use the Azure Portal and CLI to add a static public IP for all outbound communications when using RDS collection or WVD pooled desktop sessions.
Solution: The objective can be accomplished using a basic Azure outbound load balancer with an assigned static IP. There is no additional cost associated with this load balancer. However, there is a small additional cost associated with the static IP address, as mentioned above.
The high-level steps are:
- Create a basic Azure load balancer with a static IP
- Assign newly created load balancer to an existing Azure VM scale set (i.e. RDS collection or WVD desktop pool)
- Update all VM instances in the scale set
Step 1: Look up Azure subscription and resource group name in the Nerdio Admin Portal by clicking on more… in the Account section of the account home screen.
Step 2. Log into Azure Admin Portal with an account that has administrative rights to the subscription that contains the NFA deployment.
Step 3. Launch Cloud Shell, select PowerShell, click on Create Account (if running Cloud Shell for the first time).
Step 4. Define variables.
$RG = “NFA_Resource_Group_Name” (e.g. NerdioRG)
$VMSS = “RDS_Collection_Name” (e.g. RDSCL-A)
$SubscriptionId = “NFA_Subscription_ID” (e.g. 73431ed6-af54-4e40-a21f-1963e58970a4)
Step 5. Create Load Balancer by typing in (NOTE: all commands are case sensitive).
az network lb create --resource-group $RG --name OBLB --sku basic --public-ip-address-allocation static --backend-pool-name BackEndPool
az network lb rule create --resource-group $RG --lb-name OBLB --name outboundrule --frontend-ip-name LoadBalancerFrontEnd --protocol UDP --frontend-port 80 --backend-port 80 --backend-pool-name BackEndPool
Step 6. Assign newly created Load Balancer to an existing Azure VM Scale Set. (NOTE: The name of the scale set is the same as the name of the RDS Collection in Nerdio Admin Portal. For example: RDSCL-A)
$myVmss = Get-AzVmss -ResourceGroup $RG -Name $VMSS
$ipConfig = New-AzVmssIpConfig -Name myIpConfig -SubnetId /subscriptions/$SubscriptionId/resourceGroups/$RG/providers/Microsoft.Network/virtualNetworks/vnet1/subnets/default -LoadBalancerBackendAddressPoolsId /subscriptions/$SubscriptionId/resourceGroups/$RG/providers/Microsoft.Network/loadBalancers/OBLB/backendAddressPools/BackEndPool
$myVmss.VirtualMachineProfile.NetworkProfile.NetworkInterfaceConfigurations.IpConfigurations.LoadBalancerBackendAddressPools = $ipConfig.LoadBalancerBackendAddressPools
$myVmss | Update-AzVmss
Step 7. Update all hosts in RDS collection for the changes to take effect. During this process the individual hosts inside the VMSS need an update to receive the configuration change. If no changes have been made to the template OS, updating the host will just power cycle and make changes to the NIC without changing the disk.
After the above 7 steps are completed all users on the RDS or WVD collection will be browsing the internet with a static public IP address.