The old network security groups were wide open. Marta redesigned the virtual network. She enabled AVD’s RDP Shortpath for low latency, but wrapped it in Azure Firewall with FQDN-based filtering. More critically, she deployed Network Security Groups (NSGs) at the subnet level that only allowed RDP traffic from the AzureInstanceMetadataService tag—no direct internet access for session hosts. If a Cloud PC was compromised, it couldn’t phone home. It was a silent room with no windows.
The attacker lasted seven minutes. Then they vanished. securing cloud pcs and azure virtual desktop
This was the nuclear option. She rebuilt the Azure Compute Gallery. Instead of persistent Cloud PCs that lived for months, she deployed multi-session AVD pools with Ephemeral OS disks . Every time a user signed out, their entire Cloud PC was destroyed and rebuilt from a fresh, immutable gold image. The old network security groups were wide open