Required FQDNs and endpoints for Azure Virtual Desktop

In order to deploy Azure Virtual Desktop and for your users to connect, you must allow specific FQDNs and endpoints. Users also need to be able to connect to certain FQDNs and endpoints to access their Azure Virtual Desktop resources. This article lists the required FQDNs and endpoints you need to allow for your session hosts and users.

These FQDNs and endpoints could be blocked if you're using a firewall, such as Azure Firewall, or proxy service. For guidance on using a proxy service with Azure Virtual Desktop, see Proxy service guidelines for Azure Virtual Desktop. This article doesn't include FQDNs and endpoints for other services such as Microsoft Entra ID, Office 365, custom DNS providers or time services. Microsoft Entra FQDNs and endpoints can be found under ID 10 in Office 365 URLs and IP address ranges.

Important

Microsoft doesn't support Azure Virtual Desktop deployments where the FQDNs and endpoints listed in this article are blocked.

Session host virtual machines

The following table is the list of FQDNs and endpoints your session host VMs need to access for Azure Virtual Desktop. All entries are outbound; you don't need to open inbound ports for Azure Virtual Desktop.

Address Outbound TCP port Purpose Service tag
login.partner.microsoftonline.cn 443 Authentication to Microsoft Online Services
*.wvd.azure.cn 443 Service traffic WindowsVirtualDesktop
mooncake.warmpath.chinacloudapi.cn 443 Agent traffic AzureCloud
monitoring.core.chinacloudapi.cn 443 Agent traffic AzureCloud
*xt.blob.core.chinacloudapi.cn 443 Agent traffic AzureCloud
*.servicebus.chinacloudapi.cn 443 Agent traffic AzureCloud
*xt.table.core.chinacloudapi.cn 443 Agent traffic AzureCloud
*xt.queue.core.chinacloudapi.cn 443 Agent traffic AzureCloud
kms.core.chinacloudapi.cn 1688 Windows activation Internet
mrsglobalstcne2mc.blob.core.chinacloudapi.cn 443 Agent and SXS stack updates AzureCloud
wvdportalcontainer.blob.core.chinacloudapi.cn 443 Azure portal support AzureCloud
169.254.169.254 80 Azure Instance Metadata service endpoint N/A
168.63.129.16 80 Session host health monitoring N/A
crl.digincert.cn 443 Certificates N/A
microsoft.com 443 Certificates N/A
*.prod.warm.ingest.monitor.core.chinacloudapi.cn 443 Agent traffic

Important

We've finished transitioning the URLs we use for Agent traffic. We no longer support the following URLs. To prevent your session host VMs from showing a Needs Assistance status due to this, you must allow the URL *.prod.warm.ingest.monitor.core.chinacloudapi.cn if you haven't already. You should also remove the following URLs if you explicitly allowed them before the change:

Address Outbound TCP port Purpose Service tag
production.diagnostics.monitoring.core.chinacloudapi.cn 443 Agent traffic AzureCloud
*xt.blob.core.chinacloudapi.cn 443 Agent traffic AzureCloud
*eh.servicebus.chinacloudapi.cn 443 Agent traffic AzureCloud
*xt.table.core.chinacloudapi.cn 443 Agent traffic AzureCloud
*xt.queue.core.chinacloudapi.cn 443 Agent traffic AzureCloud

The following table lists optional FQDNs and endpoints that your session host virtual machines might also need to access for other services:

Address Outbound TCP port Purpose Azure Cloud 21Vianet
*.chinacloudapi.cn 443 Authentication to Azure Online Services login.chinacloudapi.cn
*.events.data.microsoft.com 443 Telemetry Service None
www.msftconnecttest.com 443 Detects if the OS is connected to the internet None
*.prod.do.dsp.mp.microsoft.com 443 Windows Update None
*.sfx.ms 443 Updates for OneDrive client software oneclient.sfx.ms
*.digicert.com 443 Certificate revocation check None
*.azure-dns.com 443 Azure DNS resolution None
*.azure-dns.net 443 Azure DNS resolution None

This list doesn't include FQDNs and endpoints for other services such as Microsoft Entra ID, Office 365, custom DNS providers or time services. Microsoft Entra FQDNs and endpoints can be found under ID 10 in Office 365 URLs and IP address ranges.

Tip

You must use the wildcard character (*) for FQDNs involving service traffic. For agent traffic, if you prefer not to use a wildcard, here's how to find specific FQDNs to allow:

  1. Ensure your session host virtual machines are registered to a host pool.
  2. On a session host, open Event viewer, then go to Windows logs > Application > WVD-Agent and look for event ID 3701.
  3. Unblock the FQDNs that you find under event ID 3701. The FQDNs under event ID 3701 are region-specific. You'll need to repeat this process with the relevant FQDNs for each Azure region you want to deploy your session host virtual machines in.

Service tags and FQDN tags

A virtual network service tag represents a group of IP address prefixes from a given Azure service. Microsoft manages the address prefixes encompassed by the service tag and automatically updates the service tag as addresses change, minimizing the complexity of frequent updates to network security rules. Service tags can be used in both Network Security Group (NSG) and Azure Firewall rules to restrict outbound network access. Service tags can be also used in User Defined Route (UDR) to customize traffic routing behavior.

Azure Firewall supports Azure Virtual Desktop as a FQDN tag. For more information, see Use Azure Firewall to protect Azure Virtual Desktop deployments.

We recommend you use FQDN tags or service tags to simplify configuration. The listed FQDNs and endpoints and tags only correspond to Azure Virtual Desktop sites and resources. They don't include FQDNs and endpoints for other services such as Microsoft Entra ID. For service tags for other services, see Available service tags.

Azure Virtual Desktop doesn't have a list of IP address ranges that you can unblock instead of FQDNs to allow network traffic. If you're using a Next Generation Firewall (NGFW), you need to use a dynamic list made for Azure IP addresses to make sure you can connect.

End user devices

Any device on which you use one of the Remote Desktop clients to connect to Azure Virtual Desktop must have access to the following FQDNs and endpoints. Allowing these FQDNs and endpoints is essential for a reliable client experience. Blocking access to these FQDNs and endpoints is unsupported and affects service functionality.

Address Outbound TCP port Purpose Client(s) Microsoft Azure operated by 21Vianet
*.wvd.azure.cn 443 Service traffic All *.wvd.azure.cn
*.servicebus.chinacloudapi.cn 443 Troubleshooting data All *.servicebus.chinacloudapi.cn
go.microsoft.com 443 Microsoft FWLinks All None
aka.ms 443 Microsoft URL shortener All None
learn.microsoft.com 443 Documentation All None
privacy.microsoft.com 443 Privacy statement All None
query.prod.cms.rt.microsoft.com 443 Download an MSI to update the client. Required for automatic updates. Windows Desktop None

These FQDNs and endpoints only correspond to client sites and resources. This list doesn't include FQDNs and endpoints for other services such as Microsoft Entra ID or Office 365. Microsoft Entra FQDNs and endpoints can be found under ID 10 in Office 365 URLs and IP address ranges.

Next steps