![]() ![]() ![]() ![]() System-wide proxy must be enabled for you to configure the host level proxy on your session host. Azure Virtual Desktop components on the session host run in the context of their operating system, so they don't support proxy servers that require authentication. Avoid proxy configuration that requires user authentication.In Azure Virtual Desktop, traffic is encrypted in transit by default. Configure proxy servers in the same geography as Azure Virtual Desktop session hosts and clients (if using cloud proxy providers).If you use proxy for outbound internet access from your session hosts: Verify that the session host's outgoing access to required URLs is bypassed by proxy (if used within session hosts) and Azure Firewall (or third-party firewall appliance).īased on your applications and enterprise segmentation strategy, restrict traffic between your session hosts and internal resources through security group rules or Azure Firewall (or a third-party firewall appliance) at scale.Įnable Azure DDoS standard protection for Azure Firewall (or a third-party firewall appliance) to help secure your Azure Virtual Desktop landing zone(s). Use Azure Virtual Network service tags and application service groups (ASGs) to define network access controls on network security groups or an Azure Firewall configured for your Azure Virtual Desktop resources. ![]() Use Network Security Groups (NSGs) and/or Azure Firewall (or third-party firewall appliance) to establish micro-segmentation. Map your business unit requirements to your host pools. Establish your baseline subnet size based on the minimum and maximum number of session hosts per host pool. Plan IP address space to accommodate the scale of your session hosts. Provision or reuse a dedicated virtual network for your Azure Virtual Desktop landing zone(s). Consider using existing security groups that map to business functions within your organization, which lets you reuse existing user provisioning and de-provisioning processes. Use Azure AD groups rather than individual users when assigning access to Azure Virtual Desktop application groups. You can collect logs from various sources, such as: Monitor these logs with your Security Information and Event Management (SIEM) tool. You can use Azure Key Vault with Azure managed identities so that runtime environments (like an Azure Function) can retrieve automation credentials from the key vault.Įnsure that you collect user and administrator activity logging for Azure Active Directory and Azure Virtual Desktop landing zone(s). Assign least privilege to the automation account and scope limited to Azure Virtual Desktop landing zone(s). Use Azure Managed Identity or service principal with certificate credentials for automation and services for Azure Virtual Desktop. Maintaining knowledge of which team is responsible for each particular administrative area helps you determine Azure role-based access control (RBAC) roles and configuration. To limit access to high privilege roles within your Azure Virtual Desktop landing zone, consider integration with Azure Privileged Identity Management (PIM). For more information on enabling Azure Multifactor authentication for Azure Virtual Desktop, see Enable Azure multifactor authentication for Azure Virtual Desktop.Īssign the least privilege required by defining administrative, operations, and engineering roles to Azure RBAC roles. Consider your users' locations, devices, and sign in behaviors, and add extra controls as needed based their access patterns. Secure user access to Azure Virtual Desktop by establishing Azure AD Conditional Access Policy with Azure AD Multi-factor Authentication or a partner multifactor authentication tool. Review the following sections to find recommended security controls and governance for your Azure Virtual Desktop landing zone. This article provides key design considerations and recommendations for security, governance, and compliance in Azure Virtual Desktop landing zones in accordance with Microsoft's Cloud Adoption Framework. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |