Windows 365 is a fully managed VDI solution by Microsoft; you have no control over the underlying virtual machines. Everything from backup, DR, and networking is automatically managed for you by Microsoft. This simplicity is great and ensures total peace of mind. But what if you now want to connect to services within your own datacenter or own Azure environment?
In terms of network options, Microsoft offers two choices. You can opt for the Microsoft hosted network or an Azure Network Connection. But when do you choose which.
Microsoft Hosted Network (MHN) vs Azure Network Connection (ANC)
Both have their advantages, but the easiest is certainly the Microsoft Hosted network option.
When configuring the networking, keep in mind that a Cloud PC does not travel with you. If you need Cloud PC’s in North America AND Europe, make sure to provide a separate provisioning policy for for both of them with their own dedicated network configuration.
Microsoft Hosted Network
When using this selection, Microsoft provides everything necessary for your Cloud PC to access the internet. Windows 365 works closely with Azure and utilizes various services such as Availability Zones to ensure business continuity. You don’t need any technical knowledge, as everything is automated.
Some reasons why you might choose this option are:
- Super fast internet
- No technical knowledge required
- No IP plan needed
- Manage your Cloud PCs as you would a traditional PC.
- There is an upload limit depending on the SKU chosen.
To me, this is the preferred option because it is incredibly fast and allows you to manage your Cloud PC as if it were a traditional work-from-home endpoint. Think of it as the public internet.
Please note that if you intend to deploy a VPN alongside the Microsoft Hosted Network for a Cloud PC, it is feasible; however, you’ll need to set up a split tunnel VPN configuration, which comes down to whitelist the following two endpoints:
- Wildcard FQDN: *.wvd.microsoft.com
- IPs: WindowsVirtualDesktop Service Tag.
Additionally, it’s important to be aware that direct communication between Cloud PCs is not supported, and that outbound traffic on port 25 (SMTP) is restricted.
More information can be found on Microsoft Learn.
Azure Network Connection
The second option that Microsoft offers is the use of a subnet within your Azure environment. To set this up, you need to have an established Azure environment. This will result in the Network Interface of the VM to be available as a resource within that subnet. Currently you are limited to 50 Azure Network Connections. There however is the option to request a raise through a Microsoft support ticket. You will need to prove your business case however.
To allow Windows 365 to integrate with your Azure environment, you must grant the Windows 365 service principal two permissions:
- Windows365 Network Interface Contributor on the resource group where you want to make your Cloud PCs available. This permission allows Windows 365 to create the Network Interface (NIC) of your Cloud PC within the Resource Group.
- Windows365 Network User on the VNET where the Cloud PCs will be available. This role is necessary to attach the previously deployed NIC to your VNET.
Once you have granted these rights, you are ready to create an ANC. The creation of an ANC is done just like all other Windows 365 management from your Intune tenant and is pretty straightforward.
Some reasons why you might choose this option are:
- Complete control over all outgoing traffic
- Permanent connectivity to a server in your backend
- No network limitations
- Integration with a traditional Active Directory domain for domain joining the Cloud PCs
An ANC is the perfect way to access netwerk recourses without the requirement of a traditional VPN, you can route traffic over your firewall and configure outbound traffic limitations.
You can also easily provide administrative access to backend resources for for example privileged accounts, they then only access the backend from their secured Cloud PC and never from their own endpoint.
Another use case is for external contractors who need access to your environment. You can grant them access to only a limited set of your network. When their work is done you simply remove their Cloud PC.
More information can be found on Microsoft Learn.
Setup an Azure Network Connection
The setup process for an Azure Network Connection is as follows:
Should you rely on Group Policy Objects (GPOs) or wish to join your Cloud PCs to a traditional Active Directory domain, you should establish a Hybrid Microsoft Entra Join Connection. If not, I would suggest opting for the Microsoft Entra Join option, which allows for native integration of Cloud PCs with Entra ID.
The setup of either the Hybrid or Native connection is very simple and straightforward if you assigned the required permissions to the service principal. You simply put in a friendly name and select your subnet from the list. That’s it!
When selecting the hybrid option, you will be prompted to input the domain details, including the username and password for an account with domain-joining permissions. This requires line of sight with a domain controller.
Opting for the hybrid choice may extend the VM provisioning time to approximately one hour, as it depends on the Entra ID connect sync cycle.
Once to connection is available you can use it in a provisioning policy. It’s also easy to check if all requirements are met and see if the connection is healthy by just clicking on its name. Please note, that using these health checks Microsoft can determine if the ANC is being used or not. If you don’t use an active ANC it will be automatically set to inactive after an extended period of time.
The network interface of the NIC should now become available in your subnet. This is the only reference to the Cloud PC that you can see or access from your Azure subscription.
Reactive your ANC
Starting in December 2024, Microsoft has increased the limit on the number of Azure Network Connections (ANCs) you can create. Previously capped at 10, the limit has now been increased to 50. One of the key reasons for putting a limit on this, is the resource demand required for performing health checks all those Azure Network Connections.
Due to the resource-intensive nature of health checks and the increased ANC limit, Microsoft will now determine whether an Azure Network Connection (ANC) can be deactivated. If an ANC is not in use and Microsoft detects no network traffic, they will deactivate it, effectively pausing the health checks provided as part of the Windows 365 service.
It’s easy to determine when an ANC has been deactivated based on the status in the status column within the Azure Network Connection view.
Reactivating it, is straightforward was well. Just open the ANC, you’ll be greeted with the following message: “Health checks are paused due to inactivity on this Azure network connection, select Reactivate to resume.” which is exactly what you need to do.
Conclusion
As you can see both the Microsoft Hosted Network and the Azure Network Connection have their benefits. The most easy one is of course the Microsoft Hosted option. This will be sufficient for most of the users and provides an easy and straightforward way to connect your Cloud PC to the internet AND you Intune tenant.
Both the Microsoft Hosted Network and the Azure Network Connection have their advantages. The Microsoft Hosted option is the simplest, providing a straightforward method for connecting your Cloud PC to the internet AND your Intune tenant, while the ANC gives full control over all the traffic coming from your Cloud PC
Leave a Reply