Using Windows 365 is a great way to provide access to your corporate tools and applications when you are working from either a different device but still need access to a Windows computer, or if you have contractors coming in.
But one big part of setting up Windows 365 is the network, where you have two roads to go down. You can either use the Microsoft Hosted network or you can use a Azure network connection.
This can be confusing, but let’s explore them together!
The different networks
As you have probably already realized, you have two different options when it comes to networking and Windows 365 (well in reality you have a lot more than that). You can either use the Microsoft hosted network, which will utilize infrastructure hosted and maintained by Microsoft. This gives you the possibility to utilize all available regions in Windows 365 without the need to set up any additional services in Azure. This makes your setup fast, scalable and you don’t need that much knowledge about Azure networks and how to operate it. These networks also comes with a bandwidth limit on outgoing traffic which depending on your license might be either very small or quite big.
The other option is to, as Microsoft calls it, bring your own network. This is where you control the network and configure everything for it. This requires that you setup a Virtual Network in Azure, in a region supported by Windows 365. This gives you total control over your network and you decide what the Cloud PC can access. This also gives you the possibility to provide different access to different Cloud PCs which could be a part of a principle of least privilege work. This virtual network would typically be connected to your internal resources. What to keep in mind here is that outgoing data is charged based on the Azure bandwidth pricing. When you bring your own network, you will only be able to provision Cloud PCs in the same region as that network is setup. If you need additional regions, you will need additional networks.
When I talk about the difference between these two, I usually compare it as Microsoft hosted network is like putting your device straight on the internet or using it from home. You will need a VPN client or similar solution to gain access internal resources and applications. Azure Network Connection could be compared to your corporate network where you put your device behind the firewall and on a subnet you decide.
Configuring networks
When you are creating a provisioning policy, one of the first things you are asked to do is to select what network you would like to use.
If you are using Microsoft Hosted network, things are pretty straight forward. You select the geography you which to use and what region (it’s recommended to leave this at automatic but you can pinpoint a specific region if required).
But if you want to use a Azure Virtual Network, there is one step you need to do before hand. You need to create a Azure network connection (ANC) in the Windows 365 portal.
When you hit “+ Create” you will get to choose from Microsoft Entra join (formerly known as Azure AD Join) or Hybrid Microsoft Entra join (formerly known as Hybrid Azure AD join). As per usual we want to try to stay away from Hybrid, so in the example we will go with the pure cloud one.
We then need to give our ANC a name and then select the subscription where your network is located. I will not in this post cover how to configure that, but you can find a basic guide here.
When we selected the requested information in the wizard, hit next and you will see that this message appears:
This means that the Windows 365 service will need those specific rights on the stated parts to be able to configure the ANC.
When you have clicked Create, the ANC will be setup. This usually takes a few minutes so you can grab a coffee while you wait.
When your network has successfully been configured, head over to create a new provisioning policy for Windows 365 and select the Azure network connection. Keep in mind, that you need to select the same join type as you did when setting up the network, otherwise it will not be in the list. You can select multiple ANCs and prioritize them as you like to create redundancy.
From here on out, it’s pretty much straight forward to complete your policy.
The end-user experience will differ between the two, especially if you apply firewalls and such to the Azure virtual network.
What to keep in mind?
There is no right or wrong in what to choose. It all comes down to your use case and you can run both them in parallell (your users can even have several Cloud PCs if you use the Windows 365 Frontline setup, but more on that in a future post).
Looking at companies I’ve worked with setting up Windows 365 this totally depends on what their idea for the platform is, “do we need computers on the inside or on the outside” is usually where we kick things of. Sometimes we end up with that we need both depending on who the user is and what they will work with.
So the big question to consider when selecting what network to use is: What will my users access the most?
Another thing that plays a important part here is what join type do you need, Microsoft Entra join or Hybrid Microsoft Entra join? Microsoft hosted only supports Microsoft Entra join, while the Azure network connection supports both.
And lastly, it’s also good to consider where the users are located and how much time we want to spend on building networks. This is a bit over simplified since there can be reglatory demands which requires you to use networks in a certain way, but it’s a good thing to keep in mind. We want to reduce the latency for users as much as possible by giving them Cloud PCs in a location suited for them.
Me personally, I’m a big fan of the Microsoft Hosted network since that will not require any additional infrastructure and you are not dependent on other teams to configure and operate this for you. You can often access applications and resources using either VPN or reversed proxy like Azure Application Proxy, or why not the new Global Secure Access which Microsoft has announced.
