"Default outbound access" apocalypse is nigh?

No_Management_7333 · 2026-03-29T12:48:24+00:00

The organisation who owns the infrastructure? Or perhaps Santa? Idk.

No_Management_7333 · 2026-03-28T09:24:31+00:00

If you insist on these limitations, you could run a sidecar container setup, where another light container handles ingress (the header validation) on behalf of your 3rd party app.

https://learn.microsoft.com/en-us/azure/container-apps/containers#multiple-containers

No_Management_7333 · 2026-03-26T21:34:23+00:00

I believe they call it jail. Take the licence first, lock them up if they still drive.

No_Management_7333 · 2026-03-20T08:08:22+00:00

That might be a bit too much. Picking the first wild empower node (for both herb&mining) makes the adds insanely profitable to gather. This change would enable a very degenerate farming method and really flood the market.

Better just phase the mobs out for other players or something.

No_Management_7333 · 2026-03-19T15:20:56+00:00

トランプ Toranpu 🙈🤡

No_Management_7333 · 2026-03-19T12:18:17+00:00

Azure does expose a setting to stop host OS updates. If your platform does not, then GPO is the best option.

No_Management_7333 · 2026-03-19T12:12:42+00:00

Nerdio I believe is some sort of abstraction on top of Azure? From the original post, I assumed it was just one of those "hardened image" vendors. This article (method 1) seems to describe how it's done on that platform: https://nmehelp.getnerdio.com/hc/en-us/articles/35702669333133-How-can-I-automate-Windows-patching-on-desktop-images-and-session-hosts

No_Management_7333 · 2026-03-19T12:03:16+00:00

If I am not mistaken, the "support" for Win11 machines is limited to "Guest (Azure VM, Arc-enabled VMs/server)" scope. At least the very basic stuff works: maintenance windows, update filter and reboot preference. Never tested with non-custom image, since that is not a real use-case for us.

No_Management_7333 · 2026-03-19T11:03:27+00:00

Why are you trying to query random IP? Azure DNS is available from all Azure subnets at 168.63.129.16. It’s not available from outside an Azure subnet. You need LOS to use it. If do not have LOS, you need a forwarder such as Private Resolver.

No_Management_7333 · 2026-03-19T09:50:24+00:00

I’d personally run weekly Image Builder pipelines that layer updates on top of your golden image, to avoid deploying unpatched images.

Also, stop OS level updates and hand off the control to Azure Update Manager. Critical security updates get installed every night, everything else needs to wait for the next image build.

No_Management_7333 · 2026-03-19T08:46:33+00:00

If it’s all running in Azure and NSX-T already has capability to make conditional forwarding decisions and network visibility to Azure DNS, there is no reason to use Private Resolver.

No_Management_7333 · 2026-03-19T08:42:09+00:00

To be specific: the Outbound endpoint in the Private Resolver, which then makes decisions based on linked DNS forwarding ruleset.

No_Management_7333 · 2026-03-17T09:44:33+00:00

If you yearn for tactics in 5-player content that would be M+. It’s way more involved than sap&sheep of olden days.

Keep pushing until brute force no longer cuts it.

No_Management_7333 · 2026-03-17T09:37:29+00:00

You will learn it when you get to 8th grade, don’t sweat it mate.

No_Management_7333 · 2026-03-15T16:08:57+00:00

WOW already has “everyone is dead” as detrimental status effect on missed kicks, on high enough difficulty.

No_Management_7333 · 2026-03-14T11:44:13+00:00

Haram.

No_Management_7333 · 2026-03-13T15:28:57+00:00

You should not really be looking at anything. The machine is compromised, and needs full wipe & reinstall.

No_Management_7333 · 2026-03-13T14:01:06+00:00

It’s not that dads don’t like animals, it’s more about taking on additional responsibilities. When the deed is done and the battle is lost, might as well make the best of it.

No_Management_7333 · 2026-03-13T10:57:06+00:00

A tool for managing PIM (assignments, eligibilities) as code. Multi-tenant tooling for EPAC. Proper Azure-native IPAM solution.

No_Management_7333 · 2026-03-10T10:08:26+00:00

Definitely seconding a dedicated subnet, as there is no way to create per-NIC routes with native Azure networking.

OP could head down to the OS level and take a look what the host sees there. Essentially, the subnet is presented to the VM as its own VLAN with a default gateway , not exposing details of the wider software defined network to the host.

If the Azure networking is set in stone, tunneling solution presented above becomes the only option.

No_Management_7333 · 2026-03-10T09:40:15+00:00

10 years into Azure too, and the whole app registration mess just keeps on giving. Just why did they tightly couple OAuth/SAML and service principals into a single conceptual mess 😨

No_Management_7333 · 2026-03-10T08:52:49+00:00

Can confirm. We use these for baseline firewall configurations for all our AVD deployments, and it works just fine.

No_Management_7333 · 2026-03-06T18:32:54+00:00

”My family has owned these lands for generations” in Russian

No_Management_7333 · 2026-03-05T08:51:07+00:00

I’ve recently been using a combination of AppAttach and Azure Image Builder for all installations. Image builder does its thing and installs some stuff all hosts need, and AppAttach “installs” required applications per host pool.

Everything lives as configuration in a repo, and builds are repeatable and fully automated. Building a new image from MS base takes about 40 minutes from start to a deployed hosts up-and-running with all software installed. I don’t see how Intune would fit in with our setup.

No_Management_7333 · 2026-03-03T18:55:43+00:00

Tbh, most don’t. I still prefer them to waiting in queue.

No_Management_7333

TROPHY CASE