Home » Blog » Understanding AVD Networking Requirements and How to Troubleshoot Connectivity Issues

Understanding AVD Networking Requirements and How to Troubleshoot Connectivity Issues

Azure Virtual Desktop has become a key service for organizations that want secure, scalable remote access to desktops and applications. Even with all of the platform’s benefits, there is one area that can create problems for new and experienced administrators: the network. AVD relies heavily on outbound access to specific URLs, FQDNs and IP endpoints. When any of those get blocked, even unintentionally, the entire deployment can become unstable. Session freezes, failed connections and unpredictable behavior usually point back to networking.

This blog post and video provides a walkthrough of the essential AVD networking components. You will learn what traffic must be allowed, which Azure tools can simplify administration and how to verify that your session hosts can reach the endpoints required for normal operation. It is also a useful reference when you need to troubleshoot issues that appear without warning.

Why AVD Networking Matters

AVD does not require inbound internet access to the session host. This is one of the reasons the service is preferred for secure deployments. The real requirements are outbound. Every session host must reach a collection of service endpoints that support authentication, brokering, updates and backend communication with the AVD control plane. If your firewall blocks even one of these URLs, the session host may still appear healthy, yet users experience connection failures or inconsistent performance.

Some organizations add layers such as SSL inspection and proxy servers. Those tools are helpful in many scenarios, but they often break AVD communication unless you bypass AVD traffic entirely. Microsoft’s guidance is clear that AVD traffic should not be intercepted or inspected.

Using Microsoft’s Published Lists for URLs, FQDNs and IPs

Microsoft maintains a complete and regularly updated list of all required AVD endpoints. The documentation covers the domain names, some IP ranges, port requirements and the purpose of each connection. The list is available for Azure commercial cloud and Azure Government. One of the challenges is that the list is long and includes regional variations, wildcard entries and optional services such as Windows Update or certificate revocation checks.

Administrators relying on firewall rules have several choices. You can allow all outbound access for the session hosts, which is simple but not always allowed. You can manually create rules based on the published documentation. Or, if you are using Azure Firewall or Network Security Groups, you can use service tags. A service tag is a predefined collection of IP ranges managed by Microsoft. When the service changes, the tag updates automatically. For AVD, the service tag still uses the older name Windows Virtual Desktop. It is one of the easiest ways to keep network access requirements current.

Azure Firewall also supports FQDN tags. These represent groups of domain names related to a specific service. They simplify configuration because you no longer need to maintain large lists of URLs. These tags are only available on Azure Firewall, so local firewalls must handle FQDNs manually or through vendor supplied rule sets, if available.

Finding Region Specific FQDNs

In the official documentation, some entries include wildcards because the actual hostnames are different per region. If you want the exact fully qualified domain name that your session hosts use, you can find them in the session host’s Event Viewer, Windows Application log. Searching for Event ID 3701 under the WVD Agent source lists all FQDNs used for that region. This is helpful when you need precise control over outbound rules.

Microsoft’s IP Range JSON File

Some firewalls still require IP based rules. Microsoft publishes a JSON file that contains all Azure public IP ranges for every region and service. It is updated weekly. If you rely on IP rules, this file is essential, but it also means you must update your firewall frequently, so the configuration does not fall out of sync with Microsoft’s changes.

Testing AVD Endpoint Access with the AVD Agent URL Tool

Knowing the required endpoints is only half of the solution. You also need a way to verify that the session host can reach them. Microsoft includes a built-in utility known as the AVD Agent URL tool. It ships with recent versions of the RD Agent and can be run directly from the session host. The tool tests connectivity to every required AVD URL and reports which ones succeed or fail.

This makes it extremely helpful during deployment and when troubleshooting issues. If a single required endpoint is blocked, the tool highlights it immediately. You can then adjust the firewall, rerun the test and confirm that access is restored.

Do Not Forget About the Client Requirements

Session hosts get most of the attention, but AVD clients also rely on specific endpoints. The list is found in the same documentation as the session host requirements and includes only TCP ports 80 and 443. These ports are usually open on home networks, but corporate environments often restrict them. RDP Shortpath adds one more requirement. Both client and session host need outbound UDP port 3478 for it to work. Microsoft provides a separate tool to test Shortpath connectivity.

Final Thoughts

Networking remains one of the most important parts of any Azure Virtual Desktop deployment. The service depends on outbound access to specific URLs, FQDNs, IP ranges and service endpoints. Even minor blocks can ripple into large user impacts. Understanding these requirements and knowing how to validate connectivity can make the difference between a stable environment and one that is difficult to support.

By combining Microsoft’s published documentation, Azure service tags and the AVD Agent URL tool, you can dramatically simplify network configuration and resolve issues much faster. If you have not already seen the full tutorial, the video walks through each of these concepts and includes several demonstrations to help you apply them in your own environment.