Wednesday, 10 July 2024

Create Azure network connection

 

Create Azure network connection

Azure network connections (ANC) let you provision Cloud PCs that are attached to a virtual network that you manage.

You can have up to 10 ANCs per tenant.

As part of the connection process, the Windows 365 service is granted the following permissions:

  • Reader permission on the Azure subscription.
  • Windows 365 Network Interface Contributor role on the specified resource group.
  • Windows 365 Network User role on the virtual network.

Requirements

To create an ANC, you must meet these requirements:

  • Have the Intune Administrator or Windows 365 Administrator role.
  • Have an Active Directory user account with sufficient permissions to join the AD domain into this Organizational Unit (hybrid Microsoft Entra join ANCs only).
  • Have the Subscription Reader role in the Azure Subscription where the VNET associated with the ANC was located.
  • If you want to create an ANC with a network or resource group that was never used in any pervious ANC creation, then you must have the Subscription owner or user administrator role.
  • For Disaster Recovery (DR) purposes, make sure that there are at least 50% of the IP addresses available in your subnet. If reprovisioning for DR is required, sufficient new IP addresses are required for each Cloud PC provisioned on the subnet.
  • For Windows 365 Government - GCC only and not GCC-H - make sure to complete the script options listed in Set up tenants for Windows 365 Government.
    • If you aren't using Azure CloudShell, make sure that your PowerShell execution policy is configured to allow Unrestricted scripts. If you use Group Policy to set execution policy, make sure that the Group Policy Object (GPO) targeted at the Organizational Unit (OU) defined in the ANC is configured to allow Unrestricted scripts. For more information, see Set-ExecutionPolicy.

When planning your ANC VNets with ExpressRoute as the on-premises connectivity model, refer to Azure’s documentation on VM limits. For the ExpressRoute Gateway SKU, make sure that you have the correct sized Gateway for the number of Cloud PCs planned within the VNet. Exceeding this limit could cause instability in your connectivity.


Create an ANC

  1. Sign in to the Microsoft Intune admin center, select Devices > Windows 365 (under Provisioning) > Azure network connection > Create.

  2. Depending on the type of ANC you want to create, choose Microsoft Entra Join or Hybrid Microsoft Entra Join.

    Screenshot of create connection dropdown

  3. On the Network details page, enter a Name for the new connection. The connection name must be unique within the customer tenant.

    Screenshot of Name field

  4. Select a Subscription and Resource group for the new connection. Create a new resource group to contain your Cloud PC resources. Optionally, you can instead select an existing resource group in the list (which grant Windows 365 permissions to the existing resource group). If you don’t have a healthy ANC, you won't be able to proceed.

  5. Select a Virtual network and Subnet.

  6. Select Next.

  7. For hybrid Microsoft Entra join ANCs, on the AD domain page, provide the following information:

No comments:

Post a Comment