Firewall Considerations – Windows Virtual Desktop (WVD)


This article covers both firewall and perimeter security considerations when deploying or enhancing an existing WVD Deployment. It would not be wise to deploy a Windows Virtual Desktop solution with users directly connecting to the public network without some form of security provision. In this article, we will look at the options available and some of the considerations needed for deploying the Azure firewall or a third party firewall for Windows Virtual Desktop.

Perimeter security – Why:

Deploying a third party firewall provides the added benefits of content filtering, gateway antivirus and application control features amongst others. Content filtering is a must for some industries and without this, it would not be possible to implement Windows Virtual Desktop. Take Education for example, safeguarding and education friendly content control. This cannot be achieved out of the box with WVD. Some may turn to third party applications to achieve the content filtering objective, however using localised applications for such functions does have a performance cost associated within a host pool.

There are many firewall options available to use and you can find these on the Azure Market place:

Azure Marketplace – Firewalls

Enhancing Security using a third party firewall:

As shown in the image below, you can see that a third party firewall can sit between multiple subnets on a VNet. In this example we have a LAN subnet where local azure resources reside and a WAN subnet where we assign Azure Public IP addresses and NAT across.

You will note that the security features can inspect locally between services as well as ingress and egress traffic to and from the public network. The added value of IPS and packet inspection should be noted.

Third Party Firewall Example Deployment

Using Azure’s Firewall:

You don’t have to use a third party firewall, There is the option to use Microsoft Azure’s Firewall. Microsoft recently published information relating using Windows Virtual Desktop with the Azure Firewall around the 5th of May 2020.

There are some differences to a third party firewall including the security features mentioned above. Azure’s Firewall does provide the ability to send user internet traffic to an on-premises proxy. There are implications in doing this and a possible impact to user performance. Azure’s firewall also offer’s feautres like Microsoft threat intelligence and application / network rules. One of the key benefits of the Azure firewall is that it is vastly scalable enabling automation.

Windows Virtual Desktop architecture Azure Firewall Overview

Issues you may experience if the firewall is not configured / correctly:

There are many issues that can occur when a firewall is not configured correctly for Windows Virtual Desktop. The two most...