
In this guide, we shall discuss “How to implement Azure Private Link for Azure Virtual Desktop [Part 06]”. It explains how to implement Azure Private Link within an existing Azure Virtual Desktop environment, with the goal of improving security and control of network traffic to management and access services. Please see Azure Virtual Desktop: Connect to Session Hosts Using Entra ID [Part 04], and Azure Virtual Desktop: Autoscaling Implementing and Monitoring Session Hosts [Part 05]
In a traditional scenario, Azure Virtual Desktop relies on public endpoints to enable communication between clients, control services, and cloud infrastructure. While functional, this model may not be sufficient in enterprise contexts with strict security and network isolation requirements.
The adoption of Azure Private Link allows traffic to be routed through private endpoints within your virtual network, reducing exposure to the internet and ensuring more secure and controlled connectivity.
You have an existing Azure Virtual Desktop environment and need to configure it to use Azure Private Link as a secure connection method to AVD services.
Objectives
At the end of this guide, you will be able to: Implement Azure Private Link for Azure Virtual Desktop
The exercise focuses on implementing and validating an Azure Virtual Desktop Private Link setup, covering networking and security configuration tasks.
Re-register the Azure Virtual Desktop resource provider
- Create a subnet in an Azure virtual network
- Configure a Private Endpoint for host pool connectivity
- Configure a Private Endpoint for feed download
- Configure a Private Endpoint for initial feed discovery
- Validate that Private Endpoints are working correctly
- Enable public network access for the host pool and workspace
Azure Virtual Desktop uses three distinct workflows, each mapped to specific resource types when implementing Azure Private Link:
- Initial feed discovery
Enables RDP clients to discover all workspaces assigned to a user. To support this via Private Link, you must create a single Private Endpoint targeting the global sub-resource of any workspace in the AVD deployment. Only one such Private Endpoint is allowed per deployment, regardless of the workspace selected. - Feed download
Enables RDP clients to retrieve connection details for workspaces hosting the user’s application groups. To enable this, you must create a Private Endpoint for the feed sub-resource for each workspace that should be accessible through Private Link. - Host pool connections
Enables RDP clients and session hosts to connect to a host pool. To support this, you must create a Private Endpoint for the connection sub-resource for each host pool exposed via Private Link.
| Workflow | Purpose | Private Endpoint Configuration | Scope |
|---|---|---|---|
| Initial feed discovery | Allows RDP clients to discover all workspaces assigned to a user | Single Private Endpoint targeting the global sub-resource of any workspace in the deployment | One per deployment (only one allowed) |
| Feed download | Allows RDP clients to download connection details for workspaces hosting the user’s application groups | Private Endpoint targeting the feed sub-resource | One per workspace to be exposed |
| Host pool connections | Allows RDP clients and session hosts to connect to a host pool | Private Endpoint targeting the connection sub-resource | One per host pool exposed |
Note: There are four possible configurations for implementing Azure Virtual Desktop workflows with Private Link:
- Fully public setup: all traffic uses public routes and Private Link is not used.
- Fully private setup: all traffic (initial feed discovery, feed download, and session connections) uses private routes.
- Hybrid setup 1: feed download and session connections use private routes, while initial feed discovery uses public routes.
- Hybrid setup 2: only session connections use private routes, while initial feed discovery and feed download remain public.
Please see Azure Virtual Desktop: Deploy host pools and session hosts in the Azure [Part 01], Azure Virtual Desktop: How to set Up Azure Virtual Desktop Insights Monitoring [Part 03], and Azure Virtual Desktop: Manage Azure Virtual Desktop host pools and session hosts using the Azure portal [Part 02]
Re-Registering the Azure Virtual Desktop Resource Provider
Before using Private Link with Azure Virtual Desktop, you must re-register the Microsoft.DesktopVirtualization resource provider.
Before using Private Link with Azure Virtual Desktop, you must re-register the Microsoft.DesktopVirtualization resource provider.
• On the Resource providers tab, in the search text box, enter Microsoft.DesktopVirtualization, in the list of results, select the small circle to the left of the Microsoft.DesktopVirtualization entry, and then select Re-register. Note: Wait for the re-registration process to complete. This typically takes less than 1 minute.
- On the Resource providers tab, in the search box, enter Microsoft.DesktopVirtualization. From the results list, select the radio button next to the Microsoft.DesktopVirtualization entry, then click Re-register.
Wait for the re-registration process to complete. This typically takes less than one minute.


Please see Disaster Recovery Test Checklist: What to Capture Before You Start, Secure Boot 2023 Compliance Across WinPE, MDT, WDS, and ADK: Boot Chain Alignment and PXE Validation [Final Part], and Fix an error occurred while attempting to start selected VM on Hyper-V.
Create an Azure virtual network subnet
Note: You can use an existing subnet in an Azure virtual network to deploy private endpoints in this guide scenario, however it is a best practice to use a dedicated subnet for this purpose.
On the XXXX-vnetXXXX page, in the Settings section of the left-hand navigation menu, select Subnets.
On the XXXX-vnetXXXX | Subnets page, select + Subnet.

In the Add a subnet pane, configure the required settings (keeping defaults unchanged) and then select Add.
| Setting | Value |
| Name | pe-Subnet |
| Starting address | 10.20.255.0 |
| Enable private subnet (no default outbound access) | disabled |


Please see The Backup Was Safe: The Data Center Was not: A Real-World Lesson About Hidden Data Center Risks and Governance Failures, and Enterprise Tape Library Administration: Control Path, Firmware, Media Management and Tape Operations.
Configuring a Private Endpoint for Host Pool Connections
On the XXXXX-hp1 page, in the left-hand navigation menu under Settings, select Networking. On the XXXXX-hp1 | Networking page, open the Private endpoint connections tab, then select + New private endpoint.

On the Basics tab of the Create a private endpoint page, enter the required settings and then select Next: Resource >.
| Setting | Value |
|---|---|
| Subscription | SUBSCRIPTION-XXXX |
| Resource group | RG-XXXX |
| Name | PE-HP1-XXXX |
| Network Interface Name | PE-HP1-NIC-XXXX |
| Region | Azure region where the Azure Virtual Desktop environment is deployed |

On the Resource tab, specify the required settings and select Next: Virtual network >.
| Setting | Value |
| Target sub-resource | connection |

On the Virtual network tab, configure the required settings (keeping defaults unchanged) and then select Next: DNS >
| Setting | Value |
|---|---|
| Virtual network | VNET-XXXX (RG-XXXX) |
| Subnet | SUBNET-PRIVATE-ENDPOINT |
| Network policy for private endpoints | Disabled |
| Private IP configuration | Dynamically allocate IP address |

On the DNS tab of the Create a private endpoint page, configure the required settings and then select Next: Tags >
| Setting | Value |
| Integrate with private DNS zone | Yes |
| Subscription | SUBSCRIPTION-XXXX |
| Resource group | XXXXX-XXX-RG |
This step will create a private DNS zone named privatelink.wvd.microsoft.com.

On the Tags tab of the Create a private endpoint page, select Review + create. On the Review + create tab, select Create.
Wait for the deployment to complete (approximately 3 minutes). Note that a separate private endpoint must be created for the connection sub-resource of each host pool you want to use with Private Link.


Please see How to Repair a Corrupt SQL Server Database Without Data Loss, Full Integration Guide on how to Add Nutanix AHV to Veeam, and BitLocker behavior when MBAM agent is removed: No Uninstall Option in Control Panel.
Creating a Private Endpoint for Feed Download
On the Azure Virtual Desktop | Workspaces page, open az140-21-ws1. In the Settings section, select Networking, then go to the Private endpoint connections tab and click + New private endpoint.

On the Basics tab of the Create a private endpoint page, configure the required settings and select Next: Resource >
| Setting | Value |
| Subscription | SUBSCRIPTION-XXXXX |
| Resource group | XXX-XXX-RG |
| Name | XXXX-XXX-pefeeddwnld |
| Network Interface Name | XXXX-XXX-pefeeddwnld-nic |
| Region | the name of the Azure region where you deployed your Azure Virtual Desktop environment |
| Setting | Value |
|---|---|
| Subscription | SUBSCRIPTION-XXXX |
| Resource group | RG-XXXX |
| Name | PE-FEED-XXXX |
| Network Interface Name | PE-FEED-NIC-XXXX |
| Region | Azure region of the Azure Virtual Desktop environment |

On the Resource tab of the Create a private endpoint page, configure the required settings and then select Next: Virtual network >
| Setting | Value |
| Target sub-resource | feed |

On the Virtual network tab, configure the required settings (keeping defaults unchanged) and select Next: DNS >
| Setting | Value |
|---|---|
| Virtual network | VNET-XXXX (RG-XXXX) |
| Subnet | PE-SUBNET |
| Network policy for private endpoints | Disabled |
| Private IP configuration | Dynamically allocate IP address |

On the DNS tab, configure the required settings and then select Next: Tags >.
| Setting | Value |
|---|---|
| Integrate with private DNS zone | Yes |
| Subscription | SUBSCRIPTION-XXXX |
| Resource group | RG-XXXX |
This step uses the previously created private DNS zone named privatelink.wvd.microsoft.com

On the Tags tab, select Review + create, then on the Review + create tab select Create. Note that a separate private endpoint is required for the feed sub-resource of each workspace used with Private Link.


Please see Fix MSIEXEC returned 1602: Trellix Setup cannot use this account, How to enable FIPS mode on Windows Server, and How to shrink and create new partition on Windows Server.
Configuring a Private Endpoint for Initial Feed Discovery
On the Azure Virtual Desktop | Workspaces page, open XXXX-XXX-ws1, go to Networking under Settings, then in Private endpoint connections select + New private endpoint.

On the Basics tab of the Create a private endpoint page, configure the required settings and then select Next: Resource >.
| Setting | Value |
|---|---|
| Subscription | SUBSCRIPTION-XXXX |
| Resource group | RG-XXXX |
| Name | PE-FEEDDISC-XXXX |
| Network Interface Name | PE-FEEDDISC-NIC-XXXX |
| Region | Azure region where the Azure Virtual Desktop environment is deployed |

On the Resource tab of the Create a private endpoint page, configure the required settings and select Next: Virtual network >
| Setting | Value |
| Target sub-resource | global |

On the Virtual network tab, configure the required settings (keeping defaults unchanged) and select Next: DNS >
| Setting | Value |
|---|---|
| Virtual network | VNET-XXXX (RG-XXXX) |
| Subnet | PE-SUBNET |
| Network policy for private endpoints | Disabled |
| Private IP configuration | Dynamically allocate IP address |

On the DNS tab, configure the required settings and select Next: Tags >.
| Setting | Value |
|---|---|
| Integrate with private DNS zone | Yes |
| Subscription | SUBSCRIPTION-XXXX |
| Resource group | RG-XXXX |
This step will will result in creation of a private DNS zone named privatelink-global.wvd.microsoft.com.

On the Tags tab, select Review + create, then on the Review + create tab select Create
A separate private endpoint is required for the global sub-resource of each workspace used with Private Link.
Note: To apply the network changes, you must restart the session hosts in the target host pool.


In Azure Virtual Desktop, open Host pools, select the target host pool, then go to Session hosts. Select all session hosts and click Restart from the toolbar.

Validating Private Endpoint Connectivity
By default, Azure Virtual Desktop allows connectivity to workspaces and host pools over public networks. In this task, you will disable public access and enforce connectivity through Private Link.
In Azure Virtual Desktop, open Workspaces, select the target workspace, then go to Networking. On the Public access tab, select Disable public access and use private access, then click Save.

In Azure Virtual Desktop, open Host pools, select the target host pool, then go to Networking. On the Public access tab, select Disable public access and use private access, then click Save.
To validate Private Endpoint connectivity, deploy a Windows 11 Azure VM in a new subnet within the same virtual network that hosts the Private Endpoints. This VM simulates an RDP client with private network access to the Azure Virtual Desktop environment


FIx this error


Open Virtual networks, select the target virtual network, then go to Subnets under Settings and select + Subnet.

In the Add a subnet pane, configure the required settings (keeping defaults unchanged) and select Add.
| Setting | Value |
|---|---|
| Name | CLIENT-SUBNET |
| Starting address | 10.20.2.0 |
| Enable private subnet (no default outbound access) | Disabled |

Go to Virtual machines, then select + Create and choose Azure virtual machine from the drop-down menu.

On the Basics tab of the Create a virtual machine page, configure the required settings (keeping defaults unchanged), then select Next: Disks >
| Setting | Value |
|---|---|
| Subscription | SUBSCRIPTION-XXXX |
| Resource group | RG-XXXX |
| Virtual machine name | VM-CLIENT-XXXX |
| Region | Azure region where the Azure Virtual Desktop environment is deployed |
| Availability options | No infrastructure redundancy required |
| Security type | Standard |
| Image | Windows 11 Pro, version 25H2 – x64 Gen2 |
| Size | Standard DC2s_v3 |
| Username | USERNAME-XXXX |
| Password | PASSWORD-XXXX |
| Public inbound ports | None |
| Licensing | Enabled checkbox |



On the Disks tab, set the OS disk to Standard HDD (LRS) and proceed to Networking. On the Networking tab, configure the required settings (defaults unchanged)
| Setting | Value |
|---|---|
| Virtual network | VNET-XXXX |
| Subnet | CLIENT-SUBNET |
| Public IP | (new) VM-IP-XXXX |
| NIC network security group | Advanced |
On the Networking tab, create a new Network Security Group, remove the default RDP rule, then add a new inbound rule allowing access from My IP address with the specified settings.
| Setting | Value |
| Source | IP Addresses |
| Source IP addresses/CIDR ranges | leave unchanged (this should still contain your public IP address) |
| Source port ranges | * |
| Destination | Any |
| Service | RDP |
| Action | Allow |
| Priority | 300 |
| Name | AllowCidrBlockRDPInbound |


On the Create network security group page, select OK. Then on the Networking tab, proceed to Next: Management >. On the Management tab, configure the required settings (defaults unchanged) and continue to Next: Monitoring >
| Setting | Value |
| Enable basic plan for free | disabled |
| Patch orchestration options | Manual updates |

On the Monitoring tab, configure the required settings (keeping defaults unchanged), then select Review + create.
| Setting | Value |
| Boot diagnostics | Disable |
On the Review + create tab of the Create a virtual machine page, select Create to deploy the VM.


Open Virtual machines, select XXXX-XXXXX-vm0, then click Connect and choose Connect from the dropdown menu.

In the Connect page of the VM, download the RDP file from the “Most common” section, then open it by selecting Keep in the download prompt and choosing Open file.

When prompted, select Connect, then enter the VM credentials in the Windows Security dialog (username and password used during VM creation). Finally, confirm by selecting Connect again.


Within the Remote Desktop session, choose and accept the preferred privacy settings when prompted.


Open Microsoft Edge and download the Windows App MSIX installer using the provided URL: Windows App – Free download and install on Windows | Microsoft Store
Then open File Explorer, go to the Downloads folder, and launch the downloaded MSIX file to start the installation.

When prompted, select Install and, if required, confirm the User Account Control (UAC) prompt to continue the installation.


Within the Remote Desktop session on XXX-XXXX-vm0, open the Windows App client and select Sign in. When prompted, authenticate using the Entra ID User2 account that is a member of the AVD-RemoteApp prefixed group.
(Username and password details should be entered in the sign-in prompt as provided in the lab environment.)



In Windows App, go to Apps and verify that four applications are available: Command Prompt, Microsoft Word, Microsoft Excel, and Microsoft PowerPoint.

Double-click the Command Prompt icon.


When prompted in the Windows Security dialog, enter the password for the same Microsoft Entra ID user account used to access the Azure Virtual Desktop environment.

Verify that the Command Prompt session launches successfully. Then, at the prompt, run logoff to end the Remote App session. Optionally, test accessing the Azure Virtual Desktop workspace from the computer to confirm that the connection fails.

Please see Fix long path names to files on SQL Server installation media error, how to Install SQL Server Management Studio 21 on Windows Server, and how to Install Windows Server 2025 via iDRAC Virtual Media or PXE.
Enable Public Network Access for Host Pool and Workspace
Go to Azure Virtual Desktop, open Workspaces, select XXXX-XX-ws1, then navigate to Networking. In the Public access tab, enable public access from all networks and save the changes.

Open Azure Virtual Desktop, go to Host pools, select XXXX-XXX-hp1, then navigate to Networking. In the Public access tab, enable public access from all networks and save the configuration.

This concludes the fourth part of the guide to Azure Virtual Desktop. Let’s now move on to the seventh part for the next steps.
I hope this guide on “Azure Virtual Desktop: Implementing and Monitoring Session Hosts for Autoscaling [Part 07]” has been helpful. Feel free to leave a comment below. 🙂