Required FQDNs and endpoints for Azure Virtual Desktop
In order to deploy Azure Virtual Desktop and for your users to connect, you must allow specific FQDNs and endpoints. Users also need to be able to connect to certain FQDNs and endpoints to access their Azure Virtual Desktop resources. This article lists the required FQDNs and endpoints you need to allow for your session hosts and users.
These FQDNs and endpoints could be blocked if you're using a firewall, such as Azure Firewall, or proxy service. For guidance on using a proxy service with Azure Virtual Desktop, see Proxy service guidelines for Azure Virtual Desktop. This article doesn't include FQDNs and endpoints for other services such as Microsoft Entra ID, Office 365, custom DNS providers or time services. Microsoft Entra FQDNs and endpoints can be found under ID 10 in Office 365 URLs and IP address ranges.
Important
Microsoft doesn't support Azure Virtual Desktop deployments where the FQDNs and endpoints listed in this article are blocked.
Session host virtual machines
The following table is the list of FQDNs and endpoints your session host VMs need to access for Azure Virtual Desktop. All entries are outbound; you don't need to open inbound ports for Azure Virtual Desktop.
| Address | Outbound TCP port | Purpose | Service tag |
|---|---|---|---|
login.partner.microsoftonline.cn |
443 | Authentication to Microsoft Online Services | |
| *.wvd.azure.cn | 443 | Service traffic | WindowsVirtualDesktop |
| mooncake.warmpath.chinacloudapi.cn | 443 | Agent traffic | AzureCloud |
| monitoring.core.chinacloudapi.cn | 443 | Agent traffic | AzureCloud |
| *xt.blob.core.chinacloudapi.cn | 443 | Agent traffic | AzureCloud |
| *.servicebus.chinacloudapi.cn | 443 | Agent traffic | AzureCloud |
| *xt.table.core.chinacloudapi.cn | 443 | Agent traffic | AzureCloud |
| *xt.queue.core.chinacloudapi.cn | 443 | Agent traffic | AzureCloud |
| kms.core.chinacloudapi.cn | 1688 | Windows activation | Internet |
| mrsglobalstcne2mc.blob.core.chinacloudapi.cn | 443 | Agent and SXS stack updates | AzureCloud |
| wvdportalcontainer.blob.core.chinacloudapi.cn | 443 | Azure portal support | AzureCloud |
| 169.254.169.254 | 80 | Azure Instance Metadata service endpoint | N/A |
| 168.63.129.16 | 80 | Session host health monitoring | N/A |
| crl.digincert.cn | 443 | Certificates | N/A |
| microsoft.com | 443 | Certificates | N/A |
| *.prod.warm.ingest.monitor.core.chinacloudapi.cn | 443 | Agent traffic |
Important
We've finished transitioning the URLs we use for Agent traffic. We no longer support the following URLs. To prevent your session host VMs from showing a Needs Assistance status due to this, you must allow the URL *.prod.warm.ingest.monitor.core.chinacloudapi.cn if you haven't already. You should also remove the following URLs if you explicitly allowed them before the change:
| Address | Outbound TCP port | Purpose | Service tag |
|---|---|---|---|
production.diagnostics.monitoring.core.chinacloudapi.cn |
443 | Agent traffic | AzureCloud |
*xt.blob.core.chinacloudapi.cn |
443 | Agent traffic | AzureCloud |
*eh.servicebus.chinacloudapi.cn |
443 | Agent traffic | AzureCloud |
*xt.table.core.chinacloudapi.cn |
443 | Agent traffic | AzureCloud |
*xt.queue.core.chinacloudapi.cn |
443 | Agent traffic | AzureCloud |
The following table lists optional FQDNs and endpoints that your session host virtual machines might also need to access for other services:
| Address | Outbound TCP port | Purpose | Azure Cloud 21Vianet |
|---|---|---|---|
| *.chinacloudapi.cn | 443 | Authentication to Azure Online Services | login.chinacloudapi.cn |
| *.events.data.microsoft.com | 443 | Telemetry Service | None |
| www.msftconnecttest.com | 443 | Detects if the OS is connected to the internet | None |
| *.prod.do.dsp.mp.microsoft.com | 443 | Windows Update | None |
| *.sfx.ms | 443 | Updates for OneDrive client software | oneclient.sfx.ms |
| *.digicert.com | 443 | Certificate revocation check | None |
| *.azure-dns.com | 443 | Azure DNS resolution | None |
| *.azure-dns.net | 443 | Azure DNS resolution | None |
This list doesn't include FQDNs and endpoints for other services such as Microsoft Entra ID, Office 365, custom DNS providers or time services. Microsoft Entra FQDNs and endpoints can be found under ID 10 in Office 365 URLs and IP address ranges.
Tip
You must use the wildcard character (*) for FQDNs involving service traffic. For agent traffic, if you prefer not to use a wildcard, here's how to find specific FQDNs to allow:
- Ensure your session host virtual machines are registered to a host pool.
- On a session host, open Event viewer, then go to Windows logs > Application > WVD-Agent and look for event ID 3701.
- Unblock the FQDNs that you find under event ID 3701. The FQDNs under event ID 3701 are region-specific. You'll need to repeat this process with the relevant FQDNs for each Azure region you want to deploy your session host virtual machines in.
Service tags and FQDN tags
A virtual network service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. Service tags can be used in both Network Security Group (NSG) and Azure Firewall rules to restrict outbound network access. Service tags can be also used in User Defined Route (UDR) to customize traffic routing behavior.
Azure Firewall supports Azure Virtual Desktop as a FQDN tag. For more information, see Use Azure Firewall to protect Azure Virtual Desktop deployments.
We recommend you use FQDN tags or service tags to simplify configuration. The listed FQDNs and endpoints and tags only correspond to Azure Virtual Desktop sites and resources. They don't include FQDNs and endpoints for other services such as Microsoft Entra ID. For service tags for other services, see Available service tags.
Azure Virtual Desktop doesn't have a list of IP address ranges that you can unblock instead of FQDNs to allow network traffic. If you're using a Next Generation Firewall (NGFW), you need to use a dynamic list made for Azure IP addresses to make sure you can connect.
End user devices
Any device on which you use one of the Remote Desktop clients to connect to Azure Virtual Desktop must have access to the following FQDNs and endpoints. Allowing these FQDNs and endpoints is essential for a reliable client experience. Blocking access to these FQDNs and endpoints is unsupported and affects service functionality.
| Address | Outbound TCP port | Purpose | Client(s) | Microsoft Azure operated by 21Vianet |
|---|---|---|---|---|
| *.wvd.azure.cn | 443 | Service traffic | All | *.wvd.azure.cn |
| *.servicebus.chinacloudapi.cn | 443 | Troubleshooting data | All | *.servicebus.chinacloudapi.cn |
| go.microsoft.com | 443 | Microsoft FWLinks | All | None |
| aka.ms | 443 | Microsoft URL shortener | All | None |
| learn.microsoft.com | 443 | Documentation | All | None |
| privacy.microsoft.com | 443 | Privacy statement | All | None |
| query.prod.cms.rt.microsoft.com | 443 | Download an MSI to update the client. Required for automatic updates. | Windows Desktop | None |
These FQDNs and endpoints only correspond to client sites and resources. This list doesn't include FQDNs and endpoints for other services such as Microsoft Entra ID or Office 365. Microsoft Entra FQDNs and endpoints can be found under ID 10 in Office 365 URLs and IP address ranges.
Next steps
To learn how to unblock these FQDNs and endpoints in Azure Firewall, see Use Azure Firewall to protect Azure Virtual Desktop.
For more information about network connectivity, see Understanding Azure Virtual Desktop network connectivity