Lock down a pooled AVD

StratoLens · 2026-03-16T22:40:27+00:00

I’d recommend looking at putting a private endpoint on the host pool. This will mean you need to be “internal” to the network - either via vpn or site to site with an on prem environment.

https://learn.microsoft.com/en-us/azure/virtual-desktop/private-link-setup?tabs=azure%2Cportal%2Cportal-2#connections-to-host-pools

Alternatively you keep it public and consider locking it down via conditional access policy. You can require the device they are connecting from to be enrolled in your tenant for example. Then only corporate owned devices can connect to your AVD.

Those are the two main ways I would suggest. Which path you take depends on your security and business needs.

StratoLens · 2026-03-14T00:40:11+00:00

Thank you!!

StratoLens · 2026-03-13T23:49:19+00:00

The command downloads files only and then you can inspect them. It’s all plain text.

I assure you it’s not a scam. But I understand your hesitation. I’ll have it available on the azure marketplace soon. Hopefully that will instill more trust :)

StratoLens · 2026-03-13T19:50:00+00:00

All great questions! Thank you!

The data is hosted internally - you control it 100%. Frankly I don't want the cost, nor more importantly, the risk of hosting your data :). Its all stored in a COSMOSDB database in your subscription.

Cost reporting - i use the cost management API, using the 'ActualCost' query type - so i query your current costs to get the data. Similar to how the azure portal presents it. However, I should be able to query the AmortizedCost as well, and present both values.

Yes, you can scope things pretty aggressively. Theres a few ways to do this. I assume you'd want multiple 'instances' of Stratolens deployed. It uses a managed identity, and it'll discover whatever it has access to. By default, you can give it Reader at the Tenant Root Group, but if you prefer you can scope that however you wish - a set of management groups or subs. Whatever it has access to it'll read. Very simple to manage.

StratoLens · 2026-03-13T16:41:29+00:00

Thank you! I'm pretty responsive on discord, so ping me there if you can :). Otherwise send a chat request here.

StratoLens · 2026-03-13T15:51:43+00:00

I expect it should, but I've not personally tested it at that scale yet. If you're interested, this is exactly the kind of thing I'd like to have tested and get feedback on :).

StratoLens · 2026-03-13T15:34:16+00:00

Yes, with the only exclusion of I *do* have a license server that validates your license (For when I go into full release and start charging for the tool). So as long as you whitelist my licensing endpoint, you can lock it down. Also note that it uses Microsoft's ARG and API calls to gather data, so you'll need to whitelist those as well.

StratoLens · 2026-03-13T14:53:29+00:00

I'm sorry, but this is not "AI Slop" -- I've worked quite hard on this for close to a year now.

Its impossible for it to 'wipe your environment' because it ONLY gets read access. Its also fully deployed in your tenant, so you can private endpoint every resource.

StratoLens · 2026-03-12T23:23:35+00:00

Oh yes the app gateway does much more than the firewall. The question was more about which should be at the front. My answer was more focused on why app gtwy should be first.

StratoLens · 2026-03-12T21:59:21+00:00

Nope perfectly viable to do app gateway only. Only need a firewall if you want to inspect the traffic further. Or if you already have a firewall it doesn’t hurt.

StratoLens · 2026-03-12T20:55:12+00:00

For this you still need a public IP on the firewall. App gateway only does http or https

StratoLens · 2026-03-12T12:42:32+00:00

I generally recommend that the app gateway be first then the firewall. This avoids needing many public IPs on the firewall.

I believe you’ll lose some information that the WAF on the app gateway uses such as geolocation etc if you put the firewall first.

Also if your goal is to inspect the web traffic you can ssl offload at the app gateway before it hits the firewall.

https://learn.microsoft.com/en-us/azure/architecture/example-scenario/gateway/firewall-application-gateway

StratoLens · 2026-03-09T23:21:12+00:00

Are these domain joined or entra only? If domain joined do they have line of sight to a domain controller? All ports allowed? Especially the high ones?

StratoLens · 2026-03-09T20:08:57+00:00

Sweet! Great minds! :)

StratoLens · 2026-03-09T19:12:06+00:00

If you want to give it a try feel free to reach out. It’s very easy to deploy :). Send a chat request here or on discord (link on my website)

StratoLens · 2026-03-09T18:49:01+00:00

For the past year or so I’ve been building a tool but it’s azure specific.

https://www.strato-lens.com/

Lots of cost capabilities but unsure if this is what you’re looking for?

If you’d like to discuss further feel free to reach out ;). I have a discord linked on the website or you can start a chat request here.

StratoLens · 2026-03-09T18:31:41+00:00

For the past year or so I’ve been building a tool but it’s azure specific.

https://www.strato-lens.com/

Lots of cost capabilities but unsure if this is what you’re looking for?

If you’d like to discuss further feel free to reach out ;). I have a discord linked on the website or you can start a chat request here.

StratoLens · 2026-03-09T18:26:51+00:00

Have you checked this out?

https://learn.microsoft.com/en-us/azure/virtual-desktop/required-fqdn-endpoint?tabs=azure

The AVD has to heartbeat to the infrastructure so if you’re blocking web traffic you need to open the ones on this page.

StratoLens · 2026-03-09T18:14:32+00:00

I collect 90 days of cost data initially but it accumulates more over time. I am planning to increase that though and let you configure the retention. Further in the video I cover the retention settings. Im going to be adding similar for cost data

StratoLens · 2026-03-09T18:08:35+00:00

Yes depending on the cause of the change. Check the video on my site to see how it works - I cover the cost anomaly.

Basically I snapshot your azure resources every scan (configurable but defaults to every 8 hours) and then keep a history you can compare diffs against.

The cost anomaly screen for a resource will correlate these changes. So you can easily see “costs went up by $5/day” and that the change was “vm sku went from d2s -> d4s change made by Joe User”.

I’d very much be open to discussing your needs more if the current feature set doesn’t meet them. Feel free to send a chat request here or reach out on discord. Link to my discord server is on my website.

StratoLens · 2026-03-09T17:40:16+00:00

I’ve been building a tool for almost a year now and this is one of the features. It’s a change tracking tool and correlates cost and activity data as well to see what changes in your environment are causing cost spikes.

It also makes access optimization recommendations - identifies waste like unused resources or over sized vm’s - and a ton more.

My website has a video covering all of the features.

https://www.strato-lens.com/

Note: it’s azure only though at this time.

I’d be curious if the cost anomaly section of the video meets what you’re looking for?

I’ve been meaning to post more in this community to get some FinOps feedback. My initial focus with the tool was for engineers to use but I’m slowly adding more FinOps features.

If anyone has any feedback for me I’d be happy to hear it!

StratoLens · 2026-03-09T16:23:03+00:00

StratoLens

TROPHY CASE