Skip to content

TechDirectArchive

Hands-on IT, Cloud, Security, Veeam & DevOps

  • Home
  • About
  • Advertise With US
  • Reviews
  • Contact
  • Toggle search form

How to implement Azure Private Link for Azure Virtual Desktop [Part 06]

Posted on 29/06/202630/06/2026 Link State By Link State No Comments on How to implement Azure Private Link for Azure Virtual Desktop [Part 06]
  1. Home
  2. AWS/Azure/OpenShift
  3. How to implement Azure Private Link for Azure Virtual Desktop [Part 06]

In this guide, we shall discuss “How to implement Azure Private Link for Azure Virtual Desktop [Part 06]”. It explains how to implement Azure Private Link within an existing Azure Virtual Desktop environment, with the goal of improving security and control of network traffic to management and access services. Please see Azure Virtual Desktop: Connect to Session Hosts Using Entra ID [Part 04], and Azure Virtual Desktop: Autoscaling Implementing and Monitoring Session Hosts [Part 05]

In a traditional scenario, Azure Virtual Desktop relies on public endpoints to enable communication between clients, control services, and cloud infrastructure. While functional, this model may not be sufficient in enterprise contexts with strict security and network isolation requirements.

The adoption of Azure Private Link allows traffic to be routed through private endpoints within your virtual network, reducing exposure to the internet and ensuring more secure and controlled connectivity.

You have an existing Azure Virtual Desktop environment and need to configure it to use Azure Private Link as a secure connection method to AVD services.

Objectives

At the end of this guide, you will be able to: Implement Azure Private Link for Azure Virtual Desktop

The exercise focuses on implementing and validating an Azure Virtual Desktop Private Link setup, covering networking and security configuration tasks.

Re-register the Azure Virtual Desktop resource provider

  • Create a subnet in an Azure virtual network
  • Configure a Private Endpoint for host pool connectivity
  • Configure a Private Endpoint for feed download
  • Configure a Private Endpoint for initial feed discovery
  • Validate that Private Endpoints are working correctly
  • Enable public network access for the host pool and workspace

Azure Virtual Desktop uses three distinct workflows, each mapped to specific resource types when implementing Azure Private Link:

  • Initial feed discovery
    Enables RDP clients to discover all workspaces assigned to a user. To support this via Private Link, you must create a single Private Endpoint targeting the global sub-resource of any workspace in the AVD deployment. Only one such Private Endpoint is allowed per deployment, regardless of the workspace selected.
  • Feed download
    Enables RDP clients to retrieve connection details for workspaces hosting the user’s application groups. To enable this, you must create a Private Endpoint for the feed sub-resource for each workspace that should be accessible through Private Link.
  • Host pool connections
    Enables RDP clients and session hosts to connect to a host pool. To support this, you must create a Private Endpoint for the connection sub-resource for each host pool exposed via Private Link.
WorkflowPurposePrivate Endpoint ConfigurationScope
Initial feed discoveryAllows RDP clients to discover all workspaces assigned to a userSingle Private Endpoint targeting the global sub-resource of any workspace in the deploymentOne per deployment (only one allowed)
Feed downloadAllows RDP clients to download connection details for workspaces hosting the user’s application groupsPrivate Endpoint targeting the feed sub-resourceOne per workspace to be exposed
Host pool connectionsAllows RDP clients and session hosts to connect to a host poolPrivate Endpoint targeting the connection sub-resourceOne per host pool exposed

Note: There are four possible configurations for implementing Azure Virtual Desktop workflows with Private Link:

  • Fully public setup: all traffic uses public routes and Private Link is not used.
  • Fully private setup: all traffic (initial feed discovery, feed download, and session connections) uses private routes.
  • Hybrid setup 1: feed download and session connections use private routes, while initial feed discovery uses public routes.
  • Hybrid setup 2: only session connections use private routes, while initial feed discovery and feed download remain public.

Please see Azure Virtual Desktop: Deploy host pools and session hosts in the Azure [Part 01], Azure Virtual Desktop: How to set Up Azure Virtual Desktop Insights Monitoring [Part 03], and Azure Virtual Desktop: Manage Azure Virtual Desktop host pools and session hosts using the Azure portal [Part 02]

Re-Registering the Azure Virtual Desktop Resource Provider

Before using Private Link with Azure Virtual Desktop, you must re-register the Microsoft.DesktopVirtualization resource provider.

Before using Private Link with Azure Virtual Desktop, you must re-register the Microsoft.DesktopVirtualization resource provider.

• On the Resource providers tab, in the search text box, enter Microsoft.DesktopVirtualization, in the list of results, select the small circle to the left of the Microsoft.DesktopVirtualization entry, and then select Re-register. Note: Wait for the re-registration process to complete. This typically takes less than 1 minute.

  • On the Resource providers tab, in the search box, enter Microsoft.DesktopVirtualization. From the results list, select the radio button next to the Microsoft.DesktopVirtualization entry, then click Re-register.

Wait for the re-registration process to complete. This typically takes less than one minute.

Please see Disaster Recovery Test Checklist: What to Capture Before You Start, Secure Boot 2023 Compliance Across WinPE, MDT, WDS, and ADK: Boot Chain Alignment and PXE Validation [Final Part], and Fix an error occurred while attempting to start selected VM on Hyper-V.

Create an Azure virtual network subnet

Note: You can use an existing subnet in an Azure virtual network to deploy private endpoints in this guide scenario, however it is a best practice to use a dedicated subnet for this purpose.

On the XXXX-vnetXXXX page, in the Settings section of the left-hand navigation menu, select Subnets.
On the XXXX-vnetXXXX | Subnets page, select + Subnet.

In the Add a subnet pane, configure the required settings (keeping defaults unchanged) and then select Add.

SettingValue
Namepe-Subnet
Starting address10.20.255.0
Enable private subnet (no default outbound access)disabled

Please see The Backup Was Safe: The Data Center Was not: A Real-World Lesson About Hidden Data Center Risks and Governance Failures, and Enterprise Tape Library Administration: Control Path, Firmware, Media Management and Tape Operations.

Configuring a Private Endpoint for Host Pool Connections

On the XXXXX-hp1 page, in the left-hand navigation menu under Settings, select Networking. On the XXXXX-hp1 | Networking page, open the Private endpoint connections tab, then select + New private endpoint.

On the Basics tab of the Create a private endpoint page, enter the required settings and then select Next: Resource >.

SettingValue
SubscriptionSUBSCRIPTION-XXXX
Resource groupRG-XXXX
NamePE-HP1-XXXX
Network Interface NamePE-HP1-NIC-XXXX
RegionAzure region where the Azure Virtual Desktop environment is deployed

On the Resource tab, specify the required settings and select Next: Virtual network >.

SettingValue
Target sub-resourceconnection

On the Virtual network tab, configure the required settings (keeping defaults unchanged) and then select Next: DNS >

SettingValue
Virtual networkVNET-XXXX (RG-XXXX)
SubnetSUBNET-PRIVATE-ENDPOINT
Network policy for private endpointsDisabled
Private IP configurationDynamically allocate IP address

On the DNS tab of the Create a private endpoint page, configure the required settings and then select Next: Tags >

SettingValue
Integrate with private DNS zoneYes
SubscriptionSUBSCRIPTION-XXXX
Resource groupXXXXX-XXX-RG

This step will create a private DNS zone named privatelink.wvd.microsoft.com.

On the Tags tab of the Create a private endpoint page, select Review + create. On the Review + create tab, select Create.

Wait for the deployment to complete (approximately 3 minutes). Note that a separate private endpoint must be created for the connection sub-resource of each host pool you want to use with Private Link.

Please see How to Repair a Corrupt SQL Server Database Without Data Loss, Full Integration Guide on how to Add Nutanix AHV to Veeam, and BitLocker behavior when MBAM agent is removed: No Uninstall Option in Control Panel.

Creating a Private Endpoint for Feed Download

On the Azure Virtual Desktop | Workspaces page, open az140-21-ws1. In the Settings section, select Networking, then go to the Private endpoint connections tab and click + New private endpoint.

On the Basics tab of the Create a private endpoint page, configure the required settings and select Next: Resource >

SettingValue
SubscriptionSUBSCRIPTION-XXXXX
Resource groupXXX-XXX-RG
NameXXXX-XXX-pefeeddwnld
Network Interface NameXXXX-XXX-pefeeddwnld-nic
Regionthe name of the Azure region where you deployed your Azure Virtual Desktop environment
SettingValue
SubscriptionSUBSCRIPTION-XXXX
Resource groupRG-XXXX
NamePE-FEED-XXXX
Network Interface NamePE-FEED-NIC-XXXX
RegionAzure region of the Azure Virtual Desktop environment

On the Resource tab of the Create a private endpoint page, configure the required settings and then select Next: Virtual network >

SettingValue
Target sub-resourcefeed

On the Virtual network tab, configure the required settings (keeping defaults unchanged) and select Next: DNS >

SettingValue
Virtual networkVNET-XXXX (RG-XXXX)
SubnetPE-SUBNET
Network policy for private endpointsDisabled
Private IP configurationDynamically allocate IP address

On the DNS tab, configure the required settings and then select Next: Tags >.

SettingValue
Integrate with private DNS zoneYes
SubscriptionSUBSCRIPTION-XXXX
Resource groupRG-XXXX

This step uses the previously created private DNS zone named privatelink.wvd.microsoft.com

On the Tags tab, select Review + create, then on the Review + create tab select Create. Note that a separate private endpoint is required for the feed sub-resource of each workspace used with Private Link.

Please see Fix MSIEXEC returned 1602: Trellix Setup cannot use this account, How to enable FIPS mode on Windows Server, and How to shrink and create new partition on Windows Server.

Configuring a Private Endpoint for Initial Feed Discovery

On the Azure Virtual Desktop | Workspaces page, open XXXX-XXX-ws1, go to Networking under Settings, then in Private endpoint connections select + New private endpoint.

On the Basics tab of the Create a private endpoint page, configure the required settings and then select Next: Resource >.

SettingValue
SubscriptionSUBSCRIPTION-XXXX
Resource groupRG-XXXX
NamePE-FEEDDISC-XXXX
Network Interface NamePE-FEEDDISC-NIC-XXXX
RegionAzure region where the Azure Virtual Desktop environment is deployed

On the Resource tab of the Create a private endpoint page, configure the required settings and select Next: Virtual network >

SettingValue
Target sub-resourceglobal

On the Virtual network tab, configure the required settings (keeping defaults unchanged) and select Next: DNS >

SettingValue
Virtual networkVNET-XXXX (RG-XXXX)
SubnetPE-SUBNET
Network policy for private endpointsDisabled
Private IP configurationDynamically allocate IP address

On the DNS tab, configure the required settings and select Next: Tags >.

SettingValue
Integrate with private DNS zoneYes
SubscriptionSUBSCRIPTION-XXXX
Resource groupRG-XXXX

This step will will result in creation of a private DNS zone named privatelink-global.wvd.microsoft.com.

On the Tags tab, select Review + create, then on the Review + create tab select Create

A separate private endpoint is required for the global sub-resource of each workspace used with Private Link.

Note: To apply the network changes, you must restart the session hosts in the target host pool.

In Azure Virtual Desktop, open Host pools, select the target host pool, then go to Session hosts. Select all session hosts and click Restart from the toolbar.

Validating Private Endpoint Connectivity

By default, Azure Virtual Desktop allows connectivity to workspaces and host pools over public networks. In this task, you will disable public access and enforce connectivity through Private Link.

In Azure Virtual Desktop, open Workspaces, select the target workspace, then go to Networking. On the Public access tab, select Disable public access and use private access, then click Save.

In Azure Virtual Desktop, open Host pools, select the target host pool, then go to Networking. On the Public access tab, select Disable public access and use private access, then click Save.

To validate Private Endpoint connectivity, deploy a Windows 11 Azure VM in a new subnet within the same virtual network that hosts the Private Endpoints. This VM simulates an RDP client with private network access to the Azure Virtual Desktop environment

FIx this error

Open Virtual networks, select the target virtual network, then go to Subnets under Settings and select + Subnet.

In the Add a subnet pane, configure the required settings (keeping defaults unchanged) and select Add.

SettingValue
NameCLIENT-SUBNET
Starting address10.20.2.0
Enable private subnet (no default outbound access)Disabled

Go to Virtual machines, then select + Create and choose Azure virtual machine from the drop-down menu.

On the Basics tab of the Create a virtual machine page, configure the required settings (keeping defaults unchanged), then select Next: Disks >

SettingValue
SubscriptionSUBSCRIPTION-XXXX
Resource groupRG-XXXX
Virtual machine nameVM-CLIENT-XXXX
RegionAzure region where the Azure Virtual Desktop environment is deployed
Availability optionsNo infrastructure redundancy required
Security typeStandard
ImageWindows 11 Pro, version 25H2 – x64 Gen2
SizeStandard DC2s_v3
UsernameUSERNAME-XXXX
PasswordPASSWORD-XXXX
Public inbound portsNone
LicensingEnabled checkbox

On the Disks tab, set the OS disk to Standard HDD (LRS) and proceed to Networking. On the Networking tab, configure the required settings (defaults unchanged)

SettingValue
Virtual networkVNET-XXXX
SubnetCLIENT-SUBNET
Public IP(new) VM-IP-XXXX
NIC network security groupAdvanced

On the Networking tab, create a new Network Security Group, remove the default RDP rule, then add a new inbound rule allowing access from My IP address with the specified settings.

SettingValue
SourceIP Addresses
Source IP addresses/CIDR rangesleave unchanged (this should still contain your public IP address)
Source port ranges*
DestinationAny
ServiceRDP
ActionAllow
Priority300
NameAllowCidrBlockRDPInbound

On the Create network security group page, select OK. Then on the Networking tab, proceed to Next: Management >. On the Management tab, configure the required settings (defaults unchanged) and continue to Next: Monitoring >

SettingValue
Enable basic plan for freedisabled
Patch orchestration optionsManual updates

On the Monitoring tab, configure the required settings (keeping defaults unchanged), then select Review + create.

SettingValue
Boot diagnosticsDisable

On the Review + create tab of the Create a virtual machine page, select Create to deploy the VM.

Open Virtual machines, select XXXX-XXXXX-vm0, then click Connect and choose Connect from the dropdown menu.

In the Connect page of the VM, download the RDP file from the “Most common” section, then open it by selecting Keep in the download prompt and choosing Open file.

When prompted, select Connect, then enter the VM credentials in the Windows Security dialog (username and password used during VM creation). Finally, confirm by selecting Connect again.

Within the Remote Desktop session, choose and accept the preferred privacy settings when prompted.

Open Microsoft Edge and download the Windows App MSIX installer using the provided URL: Windows App – Free download and install on Windows | Microsoft Store

Then open File Explorer, go to the Downloads folder, and launch the downloaded MSIX file to start the installation.

When prompted, select Install and, if required, confirm the User Account Control (UAC) prompt to continue the installation.

Within the Remote Desktop session on XXX-XXXX-vm0, open the Windows App client and select Sign in. When prompted, authenticate using the Entra ID User2 account that is a member of the AVD-RemoteApp prefixed group.

(Username and password details should be entered in the sign-in prompt as provided in the lab environment.)

In Windows App, go to Apps and verify that four applications are available: Command Prompt, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint.

Double-click the Command Prompt icon.

When prompted in the Windows Security dialog, enter the password for the same Microsoft Entra ID user account used to access the Azure Virtual Desktop environment.

Verify that the Command Prompt session launches successfully. Then, at the prompt, run logoff to end the Remote App session. Optionally, test accessing the Azure Virtual Desktop workspace from the computer to confirm that the connection fails.

Please see Fix long path names to files on SQL Server installation media error, how to Install SQL Server Management Studio 21 on Windows Server, and how to Install Windows Server 2025 via iDRAC Virtual Media or PXE.

Enable Public Network Access for Host Pool and Workspace

Go to Azure Virtual Desktop, open Workspaces, select XXXX-XX-ws1, then navigate to Networking. In the Public access tab, enable public access from all networks and save the changes.

Open Azure Virtual Desktop, go to Host pools, select XXXX-XXX-hp1, then navigate to Networking. In the Public access tab, enable public access from all networks and save the configuration.

This concludes the fourth part of the guide to Azure Virtual Desktop. Let’s now move on to the seventh part for the next steps.

I hope this guide on “Azure Virtual Desktop: Implementing and Monitoring Session Hosts for Autoscaling [Part 07]” has been helpful. Feel free to leave a comment below. 🙂

5/5 - (1 vote)

Thank you for reading this post. Kindly share it with others.

  • Share on X (Opens in new window) X
  • Share on Reddit (Opens in new window) Reddit
  • Share on LinkedIn (Opens in new window) LinkedIn
  • Share on Facebook (Opens in new window) Facebook
  • Share on Pinterest (Opens in new window) Pinterest
  • Share on Tumblr (Opens in new window) Tumblr
  • Share on Telegram (Opens in new window) Telegram
  • Share on WhatsApp (Opens in new window) WhatsApp
  • Share on Mastodon (Opens in new window) Mastodon
  • Share on Bluesky (Opens in new window) Bluesky
  • Share on Threads (Opens in new window) Threads
  • Share on Nextdoor (Opens in new window) Nextdoor
AWS/Azure/OpenShift Tags:Azure Private Endpoint Azure Virtual Desktop, Azure Private Link Azure Virtual Desktop, Azure Virtual Desktop deployment best practices, Azure Virtual Desktop infrastructure security, Azure Virtual Desktop network security, Azure Virtual Desktop networking guide, Azure Virtual Desktop private connectivity, Azure Virtual Desktop private endpoint configuration, Azure Virtual Desktop Private Link configuration, Azure Virtual Desktop Private Link setup, Azure Virtual Desktop secure access, Azure Virtual Desktop secure network access, implement Azure Private Link for Azure Virtual Desktop, Microsoft Azure Private Link tutorial

Post navigation

Previous Post: Azure Virtual Desktop: Autoscaling Implementing and Monitoring Session Hosts [Part 05]

Related Posts

  • Azure Virtual Desktop: Deploy host pools and session hosts in the Azure [Part 01] AWS/Azure/OpenShift
  • header picture 1
    Azure CI/CD: Configuring Email Notifications in Azure DevOps AWS/Azure/OpenShift
  • images
    AWS Network Adapter: Redhat to Citrix PV and AWS PV Driver AWS/Azure/OpenShift
  • Screenshot 2022 03 20 at 21.08.50
    How to integrate AWS CodeBuild and AWS CodeCommit to SonarCloud AWS/Azure/OpenShift
  • IAM AWS
    Creating IAM Users, Adding MFA and Policies on AWS AWS/Azure/OpenShift
  • Deploy to ACI
    Create Azure Container instance to deploy your image to Azure using Azure CLI AWS/Azure/OpenShift

More Related Articles

Azure Virtual Desktop: Deploy host pools and session hosts in the Azure [Part 01] AWS/Azure/OpenShift
header picture 1 Azure CI/CD: Configuring Email Notifications in Azure DevOps AWS/Azure/OpenShift
images AWS Network Adapter: Redhat to Citrix PV and AWS PV Driver AWS/Azure/OpenShift
Screenshot 2022 03 20 at 21.08.50 How to integrate AWS CodeBuild and AWS CodeCommit to SonarCloud AWS/Azure/OpenShift
IAM AWS Creating IAM Users, Adding MFA and Policies on AWS AWS/Azure/OpenShift
Deploy to ACI Create Azure Container instance to deploy your image to Azure using Azure CLI AWS/Azure/OpenShift

Leave a Reply Cancel reply

You must be logged in to post a comment.

Microsoft MVP

VEEAMLEGEND

vexpert-badge-stars-5

Virtual Background

GoogleNews

Categories

veeaam100

Veeam Vanguard

  • Featured image Teams Whiteboard
    How to use Whiteboard in Microsoft Teams meetings Windows
  • How to use Netstat.exe to confirm which Program uses or blocks a port
    How to use Netstat.exe to confirm which Program uses or blocks a port Linux
  • Featured image 2
    Enable Microsoft Defender SmartScreen: How to prevent Exe files from getting deleted randomly in Windows 10 and 11 Security | Vulnerability Scans and Assessment
  • firewall windows 1
    Periodic Scanning: How to schedule Windows Defender Antivirus to scan on Windows Windows
  • screenshot 2020 03 26 at 22.14.14
    How to create a scheduled task with Windows Admin Center Windows Server
  • windows update 03
    Fix Windows cannot check for updates in Windows 8, 7, and 10 Windows
  • term “git” was not used as the name of a cmdlet, function, script file, or executable Program recognised
    The term “git” was not used as the name of a cmdlet, function, script file, or executable Program recognized Version Control System
  • BdeHdCfg
    Fix System Partition not available or large enough on Microsoft BitLocker Administration and Monitoring [Part 1] Windows Server

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 1,786 other subscribers
  • RSS - Posts
  • RSS - Comments
  • About
  • Authors
  • Write for us
  • Advertise with us
  • General Terms and Conditions
  • Privacy policy
  • Feedly
  • Telegram
  • Youtube
  • Facebook
  • Instagram
  • LinkedIn
  • Tumblr
  • Pinterest
  • Twitter
  • mastodon

Tags

Active Directory Azure Bitlocker Microsoft Windows PowerShell WDS Windows 10 Windows 11 Windows Deployment Services Windows Server 2016

Copyright © 2025 TechDirectArchive

Loading Comments...

You must be logged in to post a comment.