Applies to: Nerdio Manager for MSP (NMM)
In some Azure environments newly created VMs are restricted from connecting to the internet. This may be done with custom routing and network security groups (NSG) at the virtual network level or with proxy settings or custom security configurations pushed to the VMs via Active Directory GPO.
In order for Nerdio Manager to be able to automate the creation and management of AVD session host VMs the following access must be possible.
| Address | Outbound TCP port | Purpose | Service Tag |
|---|---|---|---|
| 168.63.129.16 | All | Azure platform services | AzureCloud |
| *.avd.microsoft.com | 443 | Service traffic | AzureVirtualDesktop |
| mrsglobalsteus2prod.blob.core.windows.net | 443 | Agent and SXS stack updates | AzureCloud |
| *.core.windows.net | 443 | Agent traffic | AzureCloud |
| *.servicebus.windows.net | 443 | Agent traffic | AzureCloud |
| prod.warmpath.msftcloudes.com | 443 | Agent traffic | AzureCloud |
| catalogartifact.azureedge.net | 443 | Azure Marketplace | AzureCloud |
|
nmwextensions.blob.core.windows.net |
443 | DSC extension download | AzureCloud |
| kms.core.windows.net | 1688 | Windows activation | Internet |
The below addresses previously required for agent traffic have been consolidated and replaced by the single *.prod.warm.ingest.monitor.core.windows.net URL listed above. This new URL is active as of 1/31/22; please see this announcement for additional information: Important: New Changes in Required URLs
| gcs.prod.monitoring.core.windows.net | 443 | Agent traffic | AzureCloud |
| production.diagnostics.monitoring.core.windows.net | 443 | ||
| *xt.blob.core.windows.net | 443 | ||
| *eh.servicebus.windows.net | 443 | ||
| *xt.table.core.windows.net | 443 | ||
| *xt.queue.core.windows.net | 443 |
|
IMPORTANT NOTES: Azure platform mounts an ISO file to the DVD-ROM when a Windows VM is created from a generalized image. For this reason, the DVD-ROM must be enabled in the OS in the generalized image. If it is disabled, the Windows VM will be stuck at OOBE. Azure DSC extensions used by the Nerdio Manager leverage PowerShell and WinRM. Be sure that WinRM is not disabled on session host VMs and that unsigned PowerShell scripts can be run on these VMs. If there is a GPO restricting WinRM and/or unsigned scripts, exclude the OU that contains the session hosts or create a naming prefix exclusion. |
Reference KB articles:
Comments
Article is closed for comments.