You have an on-premises network and an Azure subscription. The subscription contains the following:
✑ A virtual network
✑ An Azure Firewall instance
✑ An Azure Virtual Desktop host pool
The virtual network connects to the on-premises network by using a site-to-site VPN.
You need to ensure that only users from the on-premises network can connect to the Azure Virtual Desktop managed resources in the host pool. The solution must minimize administrative effort.
What should you configure?
To ensure that only users from the on-premises network can connect to the Azure Virtual Desktop managed resources in the host pool, you should configure a conditional access policy. Conditional access policies can restrict access to resources based on conditions such as the user's location, in this case, ensuring that only users coming from the on-premises network IP range can access the resources. This approach minimizes administrative effort by leveraging Azure Active Directory and its built-in conditional access capabilities, providing a straightforward and effective solution.
I think it should be A... AVD is accesable from anywhere
correct, this is the point!! Answer A is correct
To ensure that only users from the on-premises network can connect to the Azure Virtual Desktop managed resources in a host pool, you can use Azure Firewall to restrict access to the Azure Virtual Desktop resources. Azure Firewall allows you to control inbound and outbound network traffic to and from your Azure resources, including Azure Virtual Desktop resources.
Agreed, should be A. You could theoretically attain the same goal with B, but far less effectively and elegantly.
A for sure, https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
B? https://learn.microsoft.com/en-us/azure/firewall/protect-azure-virtual-desktop?tabs=azure
Should be A
A. a conditional access policy
Should be A https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
A. as per CAP location. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
Based on the requirement to restrict access to AVD resources to users from the on-premises network over a site-to-site VPN connection, configuring a network security group (NSG) rule is the correct and optimal solution. It effectively meets the security requirement while minimizing administrative effort, aligning with best practices for network security in Azure environments.
Correct answer it is B as there is already an Azure Firewall available. https://github.com/Azure/RDS-Templates/tree/master/AzureFirewallPolicyForAVD It could not be a Conditional Access Policy because the location is referring to public IPs not the private ranges you use on-prem. check this for more info: https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition
B. an Azure Firewall rule
B? Becasue there is a "An Azure Firewall instance" and question states "The solution must minimize administrative effort."
It talks about AVD managed resources. It should be B
The key piece of information here is "minimize administrative effort". I do think this is easier to do with CA policy as it gives the administrator more control of the VDI environment.
https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
Correct answer it is B. in CAP the location is referring to public IPs not the private range you use on-prem check this for more info: https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition
This must be A.. can't understand why b has been selected!
This can be easily done with a single firewall rule.
Identify the On-Premises Network IP Range Configure Azure Firewall Network Rules Ensure VPN Connectivity Step 1: Identify the On-Premises Network IP Range Step 2: Configure Azure Firewall Network Rules Navigate to the Azure Firewall instance in the Azure portal Go to the "Rules" tab and select "Network rule collection" Set the priority (lower numbers have higher priority) Choose "Allow" for the action In the rule collection, add a new rule Set the source address range to the CIDR block of your on-premises network Set the destination address range to the IP addresses of the AVD host pool or the virtual network subnet where the AVD resources reside Set the destination port ranges to the appropriate ports used by AVD (e.g., 3389 for RDP) Set the protocol to "Any" or specify the protocol used by AVD Save the rule collection and ensure it is active. Ensure that the site-to-site VPN connection between your on-premises network and the Azure virtual network is properly configured Check that routing is correctly set up